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ABSTRACT 


The thesis studies the security of the SoDark family of cipher algorithms through 
cryptanalysis. The ciphers in question are used to protect messages sent by second- and 
third-generation automatic link establishment (ALE) systems for high frequency radios. 
Radios utilizing ALE technology are in use by a multitude of government and non¬ 
government organizations worldwide. Structural attacks on up to eight rounds based on 
di'erential properties are presented and implemented in practice. An eycient logic circuit 
representation of the only nonlinear component of the ciphers, the S-box, is generated. 
That representation, converted to conjunctive normal form (CNE), is used to perform key- 
recovery attacks on up to four rounds with the use of Boolean satisfiability problem (SAT) 
solvers. The logic circuit representation is further used to develop an eycient bitslicing 
CUDA implementation of the cipher. Its eyciency in attacking the cipher is demonstrated. 
The impact of the attacks on the ALE system is considered. Einally, the thesis includes 
suggestions regarding a replacement cipher and ideas for further cryptanalysis. 
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CHAPTER 1: 
Introduction 


1.1 Introduction 

In radio communications, the frequencies between 3 megahertz (MHz) and 30 MHz are 
eommonly referred to as the high frequeney (HF) band. The main advantage of using this 
frequeney band for eommunieation is that it allows global eoverage without any infrastrue- 
ture. This is due to those frequeneies’ ability to refleet off the ionosphere. Therefore, a 
notable eharaeteristie of the HF band is that propagation eonditions ehange eontinuously 
with ehanges in the ionosphere. The properties of the ionosphere are heavily dependent 
on a number of faetors, including time of day and year, geographie loeation, and the sun’s 
11 -year eyele. When establishing a link, i.e., ealling another radio station in order to transfer 
information, all these faetors and more must be taken into aeeount when seleeting transmis¬ 
sion parameters such as frequency and power [1]. To aehieve reliable eommunieations on 
the HF radio bands, skilled and experieneed operators are therefore normally needed. 

In the past few deeades, advanees in automatie link establishment (ALE) teehnology have 
allowed relatively unskilled operators to operate HF radios and establish eommunieation 
links with suceess rates and times elose to those of skilled and experieneed operators. The 
addition of automation to any system inevitably introduees both new seeurity issues as well 
as new variants of previous issues. The seeond-generation (2G) and third-generation (3G) 
ALE standards address this by ineluding an option for enerypting the link establishment 
messages that are sent over the air [1]. 


1.2 Purpose and Motivation 

The purpose of this thesis is to study the seeurity of the SoDark family of eiphers that are 
used to enerypt link establishment messages in the 2G and 3G ALE standards. The seeurity 
provided by the eiphers direetly affeets the performanee of ALE systems in the presenee of 
adversarial electronie warfare measures, whieh makes knowledge of their seeurity bounds 
important. 
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The SoDark algorithms have been developed specifically for the ALE application [1]. No 
public cryptanalysis of the algorithms is available, so their security is, in effect, unknown. 
Both 2G and 3G ALE systems are in active use worldwide by users ranging from government 
and military, to non-governmental organizations and amateur radio operators [2]. If cryp¬ 
tographic weaknesses exist in the ciphers protecting these users’ ALE HE communications, 
knowledge of those weaknesses might help the users compensate for those weaknesses and, 
eventually, eliminate them. 

1.3 Methodology 

The bounds of security of ciphers are established through cryptanalysis, described in Chap¬ 
ter 2. Eor academic purposes, any weakness in a cryptographic system is enough for it to 
be considered broken. This includes attacks that are infeasible in practice or only possible 
under very special circumstances. A cipher is considered broken in practice if an attack that 
affects the security provided by the cipher can be performed in some real-life setting [3]. 

As such, the method employed in academic cryptanalysis is that of hypothesis testing. The 
null hypothesis, then, is that the cipher is secure and that the most efficient way to attack it 
is through an exhaustive key search (see Chapter 2). An attack on the cipher that requires 
less effort than this constitutes a falsification of the null hypothesis. 


1.4 Thesis Outline 

Chapter 2 provides a brief theoretical background on a number of concepts in cryptography 
and information security that are central to the material covered in the rest of the thesis. 
The chapter also includes a brief overview of ALE technology. 

Chapter 3 contains a description of the SoDark family of ciphers, mainly based on the 
specifications in [1], [4], and [5]. It also introduces the mathematical notation used in 
the cryptanalysis of the ciphers. The chapter also investigates the properties and selection 
criteria of the SoDark S-box and generalizes the cipher’s structure to the Even-Mansour 
(EM) construction. A brief investigation of the cipher’s properties with regard to linear 
cryptanalysis is also performed. 
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Chapter 4 contains the main contributions of the thesis: differential-based structural key 
recovery attacks on up to eight rounds of the 24-bit SoDark-3 algorithm. 

Chapter 5 describes the process of generating efficient logic circuit representations of the 
SoDark S-box. The logic circuit representations are used in the attacks presented in 
Chapters 6 and 7. 

Chapter 6 describes the conversion of the logic circuit representations from Chapter 5 into 
conjunctive normal form (CNF) and the use of Boolean satisfiability problem (SAT) solvers 
for key recovery attacks on up to four rounds of SoDark-3. 

Chapter 7 describes the development of a high-performance bitslicing CUDA implemen¬ 
tation for brute force key recovery attacks on the full cipher. Conversion of the developed 
known-plaintext attack into a ciphertext-only attack is described. 

Chapter 8 concludes the thesis with a summary of the main results. It investigates the con¬ 
sequences of the results on the ALE system and provides recommendations. A replacement 
cipher, based on best practices, is suggested. The chapter finishes with a brief description 
of possible areas of study for further cryptanalysis of the SoDark cipher family. 
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CHAPTER 2: 
Background 


2.1 Information Security 

Information security is a term used for the practices concerning the protection of information, 
regardless of its physical form. The notion of protection is primarily expressed in three 
core concepts: confidentiality, integrity, and availability. Other concepts such as non¬ 
repudiation, accountability, reliability, or variants thereof are sometimes included as further 
core concepts. Here, however, focus is on the three primary concepts, which are defined as 

- Confidentiality is the protection of the information content itself so that only those 
authorized are able to access and use it. 

- Integrity is the protection of information against unauthorized change as well as the 
ability to detect unauthorized changes that have been made. 

- Availability is the protection of the ability to access the information so that it is 
available for authorized users to read or modify. As such, the protection is against 
physical loss of the information itself as well as against loss of the ability to access or 
transfer it. 

Methods for achieving the three aforementioned conditions vary depending on the conse¬ 
quences of failure to protect information as well as the information’s physical form. They can 
include legislation, physical obstacles, backups, spare systems, training, and authentication 
mechanisms as well as mathematical and computer algorithms such as cryptosystems [6]. 

2.2 Block Ciphers 

Block ciphers are prevalent as fundamental building blocks of other algorithms or protocols 
that aim to provide confidentiality, integrity, or availability in digital systems. In that regard, 
they are known as cryptographic primitives. Their basic purpose is to provide a means of 
transforming messages between plaintext space and ciphertext space using a secret key. 
To do this, a block cipher specifies an encryption function E and a decryption function 
D = E~^ that take the key and message as parameters. In other words: C = Ek{P) and 
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P = Dk{C). Note, that for this to work, Ek must be bijective so that its inverse Dk 
exists and Dk{Ek{P)) = P ^K,P. The relationship between E, D, P, C, and K is shown 
schematically in Figure 2.1. 


K 


K 



Figure 2.1. A generic block cipher with encryption function E and decryption 
function D. 


In digital block cipher systems, the sets of plaintexts and ciphertexts consist of all binary 
strings of a certain length n: P,C e {0,1}". This length is known as the block size. The 
key is also a binary string of fixed length: K 6 {0,1}^, but there is no requirement for the 
key size k to be the same as the block size n. Nevertheless, this is the case for some ciphers 
such as the Advanced Encryption Standard (AES), when it is used with a 128-bit key [7]. 

A block cipher provides security by making it computationally infeasible to discover the 
plaintexts of any number of given ciphertexts, or discover the key used to generate them. 
The inverse, calculating the ciphertexts of any number of given plaintexts, should also be 
infeasible. This is perhaps the most important requirement for any cipher—that the security 
must rely only on the key. In other words, knowledge of the cipher algorithm or any number 
of plaintexts or ciphertexts should not allow an attacker to gain any more information 
about the key or unknown plaintexts or unknown ciphertexts. This principle is known as 
Kerckhoffs’ principle [8] and is a fundamental requirement in all modern cryptography. 

The properties that ciphers must have in order to be secure are described in Shannon’s 
seminal paper [9]. In particular, he introduces the two principles of diffusion and confusion 
that are used to prevent statistical analysis. Diffusion means that any properties of parts 
of the plaintext should be spread out over as much of the ciphertext as possible. In block 
ciphers, this means that the avalanche effect is a desirable property. That is, the change 
in a single bit of the plaintext should cause the probability of change for any given bit 
of ciphertext to be ^ [7]. While demonstration of the avalanche effect shows a cipher 
has diffusion, it is not enough to prove any level of security. Eor this, confusion is also 
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necessary, which is in essence the same statement for the key—no simple statistical relation 
between the key and ciphertext should exist. Both diffusion and confusion are necessary 
for a cipher to be secure. A cipher without one or the other is likely to be vulnerable to 
statistical attacks. 

The fact that the security of a block cipher should only be dependent on the key makes the 
size of the key space important. If the key space is too small, an adversary that has access to 
a small number of ciphertexts and their corresponding plaintexts can simply perform trial 
decryption with all possible keys until the correct one is found. Note that, by the pigeonhole 
principle, if the key size is larger than the block size, then, for any plaintext, there exists at 
least one ciphertext that is generated by more than one key and vice versa. 

As mentioned previously, block ciphers are usually not used to directly encrypt messages 
in block-sized chunks. Instead, they are used as cryptographic primitives in block cipher 
modes of operation. These modes prevent certain security issues associated with using 
block ciphers directly, enable encryption of variable-length messages, and provide other 
desirable properties such as authentication [7]. While modes of operation are very important 
in the larger context of the use of block ciphers, they have no bearing in the context of the 
usage of the ciphers studied in this thesis. 

Some block ciphers have a third input to the encryption function, in addition to the key 
and plaintext, called a tweak. The first widely known cipher algorithm to use a tweak was 
probably the Hasty Pudding AES candidate [10]. A tweak provides additional keying bits 
that, unlike the key, are not necessarily secret [11]. The tweak is normally stored or sent 
along with the plaintext. The purpose of a tweak is to improve the security of the cipher 
with the additional non-secret bits. Ideally, no two plaintexts should be encrypted with the 
same combination of key and tweak. The cipher must still be secure even if that is the 
case, as the tweak input may not be used at all in some applications. Worse, it could be 
controlled by an adversary. Like the other inputs to a block cipher, the output should exhibit 
the avalanche property with respect to the tweak. 
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2.3 Automatic Link Establishment Systems 

As mentioned in Section 1.1, the performance of HF radio systems is highly dependent 
on ionospheric conditions. The most important factors affecting the properties of the 
ionosphere with respect to HF radio are: time of day and year, geographic location, and the 
sun’s 11-year cycle. Additionally, equipment parameters such as output power, antennas, 
and selected modulation also affect propagation. Figure 2.2 shows a HF radio propagation 
diagram generated with the Voice of America Coverage Analysis Program (VOACAP) [12]. 
The diagram shows maximum usable frequency (MUF), lowest usable frequency (LUF), 
and frequency of optimum transmission (FOT) for communication between two geographic 
locations during different times of day. It should be apparent that propagation conditions 
change over time. 



UTC hour 


Figure 2.2. Example HF propagation diagram showing maximum usable 
frequency (MUF), lowest usable frequency (LUF), and frequency of optimum 
transmission (FOT) between Grimeton, Sweden, and Long Island, New York, 
during September 2017. Produced using VOACAP. 


Understanding and utilizing the ionospheric conditions correctly as an HF radio operator 
requires training and experience. ALE technologies were created to offset most of this need 
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with technology. In an ALE system, a computer selects transmission parameters such as 
frequency and power using a model of the ionosphere fed with a large number of parameters. 
In addition, some ALE systems perform regular soundings where one or more stations in an 
ALE radio network transmit sounding signals that are used by receiving stations to measure 
current propagation conditions on different frequencies, thereby improving the model’s 
predictive accuracy [1]. 

The first ALE systems were proprietary developments by a number of commercial vendors. 
Interoperability suffered as a consequence. In response to this, 2G ALE was developed and 
standardized in MIL-STD-188-141 [4] and ES-1045 [13]. This enabled interoperability 
between radios from different manufacturers as well as between organizations [1]. 

Radios in ALE systems exchange messages in the form of protocol data units (PDU). All 
2G ALE PDUs are exactly 24-bits long and consist of a three-bit preamble and three seven- 
bit ASCII characters. A typical call from one 2G ALE radio to another with a request to 
establish a communications link will consist of three PDUs. The first two are identical and 
contain the intended receiver’s address while the third contains the sender’s address. Eor 
example, the first and second would contain the preamble <T0> (010 in binary) followed 
by a three ASCII character address, such as SAM. This example would be hex encoded as 
54e0cd. The third PDU in this example could contain the preamble <TIS> (101 in binary) 
followed by the sender address JOE and be hex encoded as b2a7c5 [5]. 

An obvious requirement for two radios to be able to communicate is that the sender transmits 
on the same frequency as the one on which the receiver is listening. To adopt to varying 
transmission conditions, ALE radio networks must use several different frequencies. This 
is achieved by having all idle radios in a network scan a predefined list of frequencies by 
sequentially tuning to them for a short period of time, called the dwell time, and listening 
for ALE PDUs. A radio that needs to establish a link with another radio selects a suitable 
frequency using the ionospheric transmission model and starts transmitting PDUs on that 
frequency. Because the radios scan frequencies asynchronously, some number of tries will 
be needed for the intended receiver to register the transmission. When a radio detects a 
PDU intended for it, it stops scanning and transmits a reply. 

The asynchronous scanning is a source of some inefhciency. The next generation of 
the standard, 3G ALE, solved this problem utilizing synchronous scanning, i.e., all radio 
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stations in the network tune to the same frequency at the same time. Since a transmitting 
radio knows which frequency an intended receiver is tuned to at any instant, only a single 
transmission will normally be required. A requirement for this to work is for all stations’ 
internal clocks to be synchronized with an accuracy less than the dwell time. This can 
be done by manual input, with the help of external timing input from a global navigation 
satellite system receiver, or through asynchronous over-the-air synchronization with another 
ALE station. 

3G ALE uses 26- and 48-bit PDUs that have different formats from 2G ALE. The addressing 
format is different as well, with 3G ALE using binary addresses. Additionally, 3G ALE 
PDUs contain cyclic redundancy check (CRC) checksums, allowing for error detection. 

To prevent unauthorized users from linking with radios in an ALE radio network, or 
to recover information from intercepted PDUs, the standards specify an optional linking 
protection scheme that allows for encryption of transmitted PDUs. ALE linking protection 
has five application levels (AL): AL-0 through AL-4. Their definitions from [4] are shown 
in Table 2.1. 

Table 2.1. ALE linking protection application levels. Adapted from [4], 


Application level 

Definition 

AL-0 

unprotected application level 

AL-1 

unclassified application level 

AL-2 

unclassified enhanced application level 

AL-3 

unclassified but sensitive application level 

AL-4 

classified application level 


The first application level, AL-0, corresponds to all encryption being turned off. Application 
levels AL-1 and AL-2 use the SoDark cipher algorithms and are described as “for general 
U.S. Government and commercial use.” The difference between AL-1 and AL-2 is that 
the latter uses a shorter protection interval (PI): two seconds instead of 60 seconds. The 
tweak (see Section 2.2 and Chapter 3) used for encryption of PDUs remains the same for 
the duration of a PI. This makes AL-I somewhat vulnerable to replay attacks. 
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AL-3 and AL-4 use hardware cipher modules developed and approved by the National 
Security Agency (NSA). AL-4 is the only AL intended for the protection of classified 
information. These application levels are outside the scope of this thesis. 

The tweak, which is referred to as seed in the standards, is a 64-bit value used to prevent 
replay attacks. Chapter 3 describes how the tweak is used by the linking protection cipher 
in the ALE protocols. It contains the transmission frequency, PI number (i.e., transmission 
time), date, and the word number (i.e., the order of the PDU in the current transmission). 
The advantage of using that data is that it is implicitly known by the receiver and does not 
need to be transferred along with the ciphertext. Table 2.2 shows the tweak data structure. 


Table 2.2. Construction of tweak used in ALE linking protection. Bit number 
1 is the most significant bit and 64 the least significant. Adapted from [4]. 


Field 

Month 

Day 

PI 

Word number 

Zero pad 

Frequency (BCD) 

Bits 

1-4 

5-9 

10-26 

27-34 

35-36 

37-64 


2.4 Cryptanalysis 

Cryptanalysis is, as the name implies, the analysis of cryptosystems. In particular, crypt¬ 
analysis normally aims to establish the bounds of a cryptosystem’s security. It is practiced 
by both users of cryptosystems and their adversaries. Cryptosystem users perform crypt¬ 
analysis to ensure there are no ways to recover information about plaintexts, ciphertexts, or 
keys. Their adversaries do cryptanalysis in the hope of finding such ways [7]. 

In general, any ability to recover information that requires less effort than trying, on average, 
half of the possible keys is considered a break for cryptanalytic purposes. For example, 
there exists a key recovery attack for AES with computational complexity proportional to 
2126 . 1 ^ while the average computational complexity of a brute force attack is 2^^^. AES is 
therefore broken in theory. Since the complexity of this attack is still astronomical, however, 
and requires a very large amount of data, the cipher is not broken in practice and is still 
considered safe to use [14]. 

The starting point for cryptanalysis on a particular cipher is usually to study its mathematical 
description and to apply cryptanalytic techniques that have been successful with other similar 
ciphers. A common approach is to start by analyzing versions of the cipher with reduced 
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security. This can, for example, be a version that has a reduced number of rounds or in an 
improbable setting, such as having the entire codebook for a given key. The insights from 
these attacks may then provide tools and methods for attacking the cipher with more rounds 
or in more generalized settings [3]. 

Perhaps the single most important property for a cipher to have if it is to be resistant to 
cryptanalysis is nonlinearity. This property follows directly from Shannon’s diffusion and 
confusion properties. A completely linear cipher can simply be described as a system of 
linear equations that can be solved by Gaussian elimination given a very small number 
of plaintexts. Since systems of linear equations can be solved in polynomial time, this is 
expected to be faster than an exhaustive search of the key space, even for very small key 
spaces. 

A nonlinear cipher on the other hand, must be described as a system of equations of higher 
order. Such a system of equations is reducible to the multivariate quadratic (MQ) problem, 
which is non-deterministic polynomial-time (NP)-hard. Thus, it has complexity 0(2°'"), 
0 < O' < 1 in the case of n binary variables. In most cases, this makes it harder to attack a 
cipher this way than the brute force approach of testing all the keys, which has complexity 
equivalent to encryptions on average, where k is the key length in bits. 

There are exceptions: In some cases, it is possible to linearize the system of equations, i.e., 
to replace all nonlinear terms with new variables and then solve the resulting system of 
linear equations. This will yield a number of spurious solutions that must be filtered out. 
Linearization of a MQ system of equations is only possible if it is sufficiently sparse and 
overdefined. Another exception is the use of SAT solvers or constraint solvers to solve the 
system of equations. SAT solvers are able to solve large systems of Boolean equations with 
comparatively high speed [15]. 

While many attacks are specific to certain ciphers, there are a number of attacks that work 
on large classes of block ciphers. Some examples of such generic attacks are given in the 
following sections. 
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2.4.1 Brute Force Attacks 

A brute force attack works by trying every possible key until the right one is found. On 
average, half the key space needs to be searched before the correct key is found so, for a 
k-bit key, the effort is proportional to The only protection against brute force key 
search is to ensure that the key space is large enough for the attack to be intractable, at least 
during the expected period for which the encrypted data needs to be protected. In general, 
a cipher is considered secure if no attacks exist that are faster than an exhaustive search 
in practice and the size of the key space makes a brute force search impossible. Various 
recommendations for minimum key lengths exist. Table 2.3 compiles the recommendations 
from [16] and [17]. Among the sources consulted, there is consensus that a 128-bit key size 
provides good security, 64 bits or less provides no security in practice, and 80 bits is the 
smallest key size that provides any measure of security. 


Table 2.3. Key length recommendations. Adapted from [16], [17]. 



Fevel of security 

Key size (bits) 

Knudsen & Robshaw (2010) 

ECRYPT II (2012) 

32 


attacks in real-time by individuals 

40 

easy to break 

very short-term protection 

64 

practical to break 


80 

not currently feasible 

smallest general-purpose level 

96 


legacy standard level 

112 


medium-term protection 

128 

very strong 

long-term protection 

256 

exceptionally strong 

foreseeable future 


An efficient brute force attack requires an efficient implementation of the cipher function. 
Application-specific integrated circuits (ASIC) built specifically for breaking the cipher in 
question is the fastest, but most expensive, technology. Constructing an ASIC to perform 
brute force key search requires custom integrated circuit design and manufacturing, which is 
expensive and out of reach for individuals and small organizations. In 1998, the Electronic 
Frontier Foundation (EFF) built an ASIC-based computer. Deep Crack, that could break 
the 56-bit Digital Encryption Standard (DES) cipher in less than a week. The budget for 
the project was about 200,000 U.S. dollars [18]. This is an example of a medium-size 
organization’s ability to break 56-bit ciphers in the late 1990s. 
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A slower and cheaper, but still quite efficient, way to perform a brute force search is 
to employ field-programmable gate arrays (FPGA). FPGAs are reconfigurable hardware 
gate networks that enable efficient implementations and parallelization of calculations at 
comparatively low cost. Cloud FPGA computing services as well as FPGA expansion cards 
for personal computers are available. This could enable the use of FPGAs for brute force 
key searches by individuals and organizations of any size. 

Graphics processing units (GPU) are primarily designed for real-time rendering of graph¬ 
ics on personal computers. Yet, their design also makes them useful for highly parallel 
computation—a single modern GPU can contain thousands of processor cores. This has 
led to the emergence of general-purpose computing on graphics processing units (GPGPU) 
programming frameworks, such as OpenCL and CUDA, specifically tailored for GPU com¬ 
puting. These frameworks are used to write programs that solve various hard problems 
encountered in a wide range of fields. 

Lastly, brute force key search can be done with central processing units (CPU) in general 
purpose computers. Except for ciphers that have been specifically engineered to resist the 
aforementioned methods, this tends to be the slowest method. To their advantage, however, 
are shorter development time and the possibility of using existing software implementations 
of the cipher. In addition, an organization can use the computer infrastructure it already has 
in place to perform the key search. There are also examples of the Internet being used to 
leverage the power of computers all over the world to perform brute force key search. 

Regardless of the hardware used, the fastest implementations of ciphers are in forms that 
regard the cipher as a network of logic gates rather than as an imperative computer program. 
In ASICs and FPGAs, this enables a design that, in effect, tests one key per clock cycle. In 
GPUs and CPUs, this enables bitslicing implementations. In a bitslicing implementation, 
each variable in the program represents one bit of state and the entire cipher is implemented 
in software as bitwise logic operations. This enables instruction level parallelism, where 
every instruction operates on a number of parallel encryptions or decryptions. The exact 
number is dependent on the platform’s register size. With modern processors that have 
single instruction, multiple data (SIMD) instruction sets with registers as wide as 256 or 
512 bits, this means that that many encryptions or decryptions can be performed in parallel 


14 



on a single processor core. Additionally, bit level permutations are performed at no cost at 
all in bitslicing implementations [19]. 

Finding the most efficient logic gate representation of nonlinear parts of the cipher, such as 
S-boxes, is an NP-hard problem. Without a clear mathematical description of an S-box, a 
partial search of the solution space using a heuristic algorithm may be the only way to find 
an efficient, but non-optimal, solution. 

2.4.2 Time-Memory Trade-Off Attacks 

Time-memory trade-off (TMTO) attacks exist for all block ciphers. The simplest example 
is to construct a dictionary that associates any given plaintext-ciphertext pair with a key. 
For most ciphers that are in practical use, the storage space required to mount such an attack 
makes this impossible. For a cipher with a block and key size of n bits, the storage space 
required for the lookup table would be n ■ 2^" bits. The required space can be reduced to 
n ■ 2” bits if the dictionary is restricted to a single plaintext. 

Heilman [20] describes a TMTO attack that allows the attacker to choose an almost arbitrary 
point on a trade-off curve between the extremes provided by the brute force and dictionary 
attacks. A TMTO attack starts by creating reusable tables for a certain plaintext by per¬ 
forming precomputations of a complexity equivalent to the brute force recovery of a single 
key. Given a ciphertext corresponding to that plaintext, the key can be recovered by quickly 
regenerating only parts of the precomputations with the help of the tables. This way, the 
key can be recovered significantly faster than by brute force alone. TMTO attacks have 
been used to perform practical breaks of ciphers that are in current use. One of the more 
notable examples of a cipher broken by this is the A5/1 cipher used in the GSM standard for 
mobile telephony [21]. For details on the attack, the reader is referred to Heilman’s original 
paper [20] or to the description in [16]. 

2.4.3 Meet-in-the-Middle Attacks 

Meet-in-the-middle (MITM) attacks are an example of a type of structural attack. They 
exploit the fact that some ciphers can be divided into two parts, where neither part is 
dependent on the full key. This attack type was first described in [22], where possible 
improvements to the DBS algorithm are investigated. When considering double encryption 
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with DES using two different keys, the authors show that such a system can be broken 
with effort proportional to 2^^, despite the system having a 112-bit key. Thus, the double 
encryption with two independent keys adds only a single bit of security. As an example. 
Algorithm 2.1 performs a MITM attack on a product cipher f = h o g using two known 
plaintext-ciphertext pairs. 


Algorithm 2.1 Perform a meet-in-the-middle attack on a product cipher / = hog. Adapted 
from [22]. 

1; procedure MeetInTheMiddle(Pi, Ci, P2 , C2 ) 

2: L <— empty list 

3: for all k\ do 

4: V gh { P \) 

5: L.append(y, ki) 

6 : end for 

7: for all k2 do 

8 : 

9; k\ L[w] 

10 ; if hk^igkiiPi)) = C 2 then 

11; PRiNT(ki, ^ 2 ) 

12 ; end if 

13; end for 

14; end procedure 


In the case of Double DES (2DES), we expect to find the key in about 2^^ DES operations 
using 2^^ 56-bit blocks of memory. Eor that reason, DES was eventually strengthened 
through Triple DES (3DES), which is still vulnerable to the same attack, but with an attack 
complexity of about 2^^^ DES operations. This was considered sufficiently prohibitive at 
the time. 


2.4.4 Differential Cryptanalysis 

Differential cryptanalysis is, together with linear cryptanalysis, one of the strongest known 
general attacks on block ciphers. It was first described in the open literature by Biham 
and Shamir [23]. Attacks based on differential cryptanalysis work with differences, called 
differentials, between inputs and outputs of parts of a cipher. Commonly, the differentials 
are defined as the bitwise XOR of two values, although other definitions such as modular 
addition can be used. 
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The basic idea of differential attacks is to distinguish the output of a certain function from 
random by considering the probability that a certain output differential is generated by a 
certain input differential or vice versa. Since S-boxes are the only source of nonlinearity 
in many ciphers, the study of their differential properties is usually an important part of 
cryptanalysis. An example 4x4 S-box from [16] is shown in Table 2.4 and Table 2.5 shows 
the parts of its difference distribution table (DDT) that correspond to inputs that are bitwise 
complements. It is clear that the differentials shown in the rightmost column are not evenly 
distributed. The value d, for example, appears with probability and 12 of the 16 possible 
values have probability 0. 


Table 2.4. An example 4x4 S-box vulnerable to differential cryptanalysis. 
Adapted from [16]. 


Q123456789abcde£ 


5(v) 6 4 c 5 Q 7 2 


1 f 3 d 8 


9 b 


Table 2.5. Excerpt from the difference distribution table of the example 
S-box from Table 2.4. Adapted from [16]. 
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The DDTs of the S-boxes in a cipher, together with knowledge of its round structure, 
can be used to construct relations between inputs and outputs of a number of consecutive 
rounds that have probabilities much higher or lower than expected for a cipher adhering to 
Shannon’s diffusion property. 

2.4.5 Linear Cryptanalysis 

Linear cryptanalysis was first described by Matsui in his cryptanalysis of the DES cipher 
[24]. As with differential cryptanalysis, it provides a method for discovering and using 
non-random statistical properties of the cipher. This time, the property used is the parity of 
certain bit positions in the input and output. 

Again, an example 4x4 S-box from [16], shown in Table 2.6, illustrates the concept. The top 
two rows in the table show the S-box, while the additional two bottom rows show the parity 
of certain bits of its input and output, respectively, selected by the masks a = (1,0,0,1) and 
jS = (0,0,1,0). The two bottom rows differ in all columns, except for jc = 1 and x = f. This 
means that the relation {a- x)®\ = S{x) holds with probability which is a significant 
difference from the ^ \ probability expected from a S-box with good nonlinearity. 


Table 2.6. An example 4x4 S-box vulnerable to linear cryptanalysis. Adapted 
from [16]. 


X 

0 

1 

2 

3 

4 

5 

6 

7 

8 

9 

a 

b 

c 

d 

e 

f 

S{x) 

f 

e 

b 

c 

6 

d 

7 

8 

Q 

3 

9 

a 

4 

2 

1 

5 

a ■ X 

0 

1 

0 

1 

0 

1 

0 

1 

1 

0 

1 

0 

1 

0 

1 

0 

P-S{x) 

1 

1 

1 

0 

1 

0 

1 

0 

0 

1 

0 

1 

0 

1 

0 

0 


The equivalent to a DDT in linear cryptanalysis is the linear approximation table (EAT), 
which shows the deviation from the expected probability of \ for all pairs of input and 
output masks. As with differential cryptanalysis, the EAT in linear cryptanalysis is used 
to create relations between the parity of inputs and outputs of several consecutive cipher 
rounds. The relations can then be used in attacking the cipher. 

Eor a more in-depth description of the methods of linear and differential cryptanalysis, the 
reader is referred to the excellent tutorials in [16] and [25]. 
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CHAPTER 3: 

The SoDark Family of Algorithms 


3.1 Background 

The Lattice cipher algorithm is specified in [4]. It is a 24-bit block cipher that uses a 56-bit 
key and a 64-bit tweak. It has eight rounds and is used to encrypt 24-bit PDUs sent by the 
2G ALE protocol. A version called SoDark-3 is used in the 3G ALE standard to encrypt 
24-bits of the 26-bit PDUs. It is identical to the original Eattice algorithm, except that it 
uses 16 rounds. Since 3G AEE also uses 48-bit PDUs, SoDark-3 has been extended into a 
version with 48-bit block size called SoDark-6. 

The cipher was developed specifically for the AEE application. The main purpose of the 
algorithm, according to [5], is to prevent unauthorized linking with radios that are part of 
an AEE radio network. The reference specifically mentions both replay attacks, where a 
previously sent legitimate PDU is replayed by an adversary, as well as attacks where the 
adversary is actively trying to recover the key. 

Eurther insight is given by [1], which lists the following seven design requirements for the 
original Eattice algorithm: 

(a) transparency to AEE protocols; 

(b) self-synchronization; 

(c) minimum impact on scanning dwell time; 

(d) 24-bit block operation; 

(e) channel- and time-varying; 

(f) moderate computational requirements; and 

(g) unclassified algorithm. 

Requirements a, b, c, and d all have the same root cause in that the 2G AEE standard uses 
24-bit PDUs and non-synchronous frequency scanning. A station in an HP radio network 
that uses AEE must be able to switch to a frequency and immediately start receiving PDUs. 
Since the dwell time, i.e., the time the station listens to any given frequency, is quite 
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short, any received non-authentic PDU must not cause an interruption in scanning. The 
linking protection cipher is also an optional feature in the standard and must be a drop-in 
replacement in the sense that no more data than the 24 or 48 bits allocated in the transmission 
format can be used when linking protection is enabled. 

Requirement e is needed if the cipher is to be semantically secure. Without this, it would be 
trivially vulnerable to traffic analysis and replay attacks. In particular, the short block size 
would enable an attacker to quickly compile relevant parts of the codebook for a given key. 

The last two requirements, f and g, stem from the fact that the ALE algorithm and cipher 
are meant to be used by field radios. 

The round function consists of S-box lookups and XOR operations, which makes the S- 
box the only nonlinear component of the cipher. Table 3.1 shows the S-box lookup table. 
Neither [1] nor [4] nor [5] describes how the S-box was generated or the criteria for its 
selection. 


Table 3.1. The Lattice and SoDark S-box. Adapted from [4]. 
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3.2 Notation 

This section introduces the notation used in the descriptions and cryptanalysis of the SoDark 
family of ciphers in this and following chapters. 

The bitwise exclusive or (XOR) operation is denoted by ©. 

S-box lookups are denoted by 5 and inverse S-box lookups by 

Concatenation of variables is denoted by ||. 

The full plaintext is denoted by “P, the full ciphertext by C, the full key by TC, and the full 
tweak by T. 

The ciphers described are byte oriented. Input and output bytes to and from each round 
are denoted by the letters A through F, with the letter A representing the most significant 
byte of the state and the other letters representing the following bytes in falling order. To 
differentiate between state in different rounds, the superscript in parenthesis is used where 
^('•-1) represents the input to and A^''^ the output from the rth round. 

In the cryptanalysis, the state of several parallel encryptions are studied and subscripts are 
used to differentiate the parallel variables. For example, and A^^^ represent the most 
significant input byte in two parallel encryptions. 

Differentials, i.e., XOR differences between the same state variable in two parallel encryp¬ 
tions are denoted with the A character. Continuing the previous example, would be 
the differential of the most significant plaintext byte. 

In some cases it will be convenient to study partial decryptions of the parts of a round that 
are not key-dependent. The notation A j is used for such partial decryptions. 

Use of the key and tweak is also byte oriented. A certain byte is denoted by ki for the key and 
ti for the tweak, starting with the number one for the most significant byte. Multiple-byte 
round keys are denoted by K. Different versions of tweak bytes in parallel encryptions are 
denoted by a comma in the subscript. For example, 2 denotes the most significant tweak 
byte in the second parallel encryption. 
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3.3 24-bit Version (SoDark-3) 

Each round operates on the incoming 24-bit word by splitting it into three bytes 

and with containing the most significant bits and the least 

significant. It then calculates three output bytes A^''\ B^''\ and in the following manner: 



(3.1) 


(3.2) 

5^ = © d'') © ks) 

(3.3) 

where s denotes the S-box lookup function and k\,k 2 , and ^3 are the most, middle, and least 

significant parts of the round key. Figure 3.1 shows the encryption process, 
performed by inverting the operations: 

Decryption is 

B(r-l) ^ ^-1 j ^ ^ ^ 

(3.4) 

d'-i) = ©d'-i)©ki 

(3.5) 

d'-i) = 5-i(d'')) ©d'-i)©k2. 

(3.6) 


The key schedule is completely linear. For each round, three bytes of key and three bytes of 
tweak are XORed to create a 24-bit round key. The bytes are used in order and the different 
lengths of the key and tweak ensure that the round keys are different. 

The round keys for the first 16 rounds are listed in Table 3.2. As is apparent from the table, 
and assuming the tweak is known, knowledge of any round key will reveal parts of at least 
half of the round keys. 


22 




Figure 3.1. The first two rounds of the SoDark-3 algorithm. 
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Table 3.2. Lattice and SoDark- 3 key schedule. 


Round 

Kr 


h 

kq 

kq 

1 

k\ © t\ 

kq © tq 

kq © tq 

2 


kq © tq 

ke © te 

3 

kq © tq 

k\ © t% 

kq © t\ 

4 

kq, © tq 

k 4 © tq 

kq © ?4 

5 

ke © ts 

kq © te 

k\ © tq 

6 

kq © 

kq © t\ 

k 4 © tq 

7 

ks © tq 

ke © t4 

kq © tq 

8 

k\ © t(, 

kq © tq 

kq © t% 

9 

k4 © 0 

kq © tq 

ke © tq 

10 

kq © ?4 

k\ © tq 

kq © te 

11 

kq © tq 

k4 © ?8 

kq © t\ 

12 

ke © tq 

kq © tq 

k\ © t4 

13 

kq © tq 

kq © te 

k 4 © tq 

14 

kq © ?8 

ke © h 

kq © tq 

15 

k\ © tq 

kq © t 4 

kq © tq 

16 

k4 © te 

kq © tq 

ke © h 
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3.4 48-bit Version (SoDark-6) 

The version of the algorithm with 48-bit block length, SoDark-6, is a direct extension of 
SoDark-3. Figure 3.2 shows the encryption process: Each round splits the incoming 48-bit 
word into six bytes and with containing 

the most significant bits and the least significant. It then calculates six output bytes 

in the following manner: 


A^'') = © ki) (3.7) 

© ka) (3.8) 

fW = © ks) (3.9) 

= 5 (a^'') © © ^ 4 ) (3.10) 

©D^'-i) ©F^'') ©ks) (3.11) 

F(A = 0 p{r-\) ^ ^(r) ^ _ ^^ ^2) 


Again, ki denotes the fth byte of the round key where k\ is the most significant. The key 
schedule is analogous to the one used by the 24-bit versions and is shown in Table 3.3. 
Decryption is also analogous to the 24-bit version: 


5(r-i) ^ 

© 

© 

© 

(3.13) 

Dir-l) ^ 

© C^'') © F^") © ks 

(3.14) 

f('-i) = 

© F*^''^ © A*^''^ © ke 

(3.15) 

a('-i) = 5-1 (a^'')) 

© © ki 

(3.16) 

c('-i) = ,-i(cW) 

© © k2 

(3.17) 

f('-i) = .-i(fW) 

©d''“i) ©f(''“ 1) ©k3. 

(3.18) 


One notable change from SoDark-3 is that the mixing of inputs “wraps around” in the 
sense that the most and least significant bytes A and F are mixed with each other. 
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Table 3.3. SoDark-6 key schedule. 


Round 

Kr 


k\ 

ki 

kq 

k4 

ks 

ke 

1 

k\ © t\ 

kq © tq 

kq © tq 

k4 © 74 

ks © ts 

ke © 76 

2 
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kq © tq 
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kq © 75 
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kq © ts 

kq © t\ 

^4 © tq 

4 

ks © ?3 

k(, © 74 

kq © ts 

k\ © 76 

kq © tq 

kq © ts 

5 

A:4 © t\ 

ks © tq 

ke © tq 

kq © 74 

k\ © ts 

kq © 76 

6 

kq, © tq 

k4 © ts 

ks © t\ 

ke © tq 

kq © tq 

k\ © 74 

7 

k2 © 

kq © 76 

k 4 © tq 

ks © ts 

k(, © 7i 

kq © tq 

8 

ki © ?3 

kq © 74 

kq © ts 

k4 © 76 

ks © tq 

ke © ts 

9 

kq © t\ 

ki © tq 

kq © tq 

kq © 74 

k4 © ts 

ks © te 

10 

k(, © tq 

kq © ts 

k\ © t\ 

kq © tq 

kq © tq 

k4 © 74 

11 

ks © ts 

ke © 76 

kq © tq 

k\ © ts 

kq © t\ 

kq © tq 

12 

k^ © tq, 

ks © 74 

k(, © ts 

kq © 76 

k\ © tq 

kq © ts 

13 

kq © t\ 

k 4 © tq 

ks © tq 

k(, © 74 

kq © ts 

k\ © te 

14 

kq ® ^7 

kq © ts 

k4 © 7i 

ks © tq 

ke © tq 

kq © 74 

15 

k\ © ts 

kq © 76 

kq © tq 

k4 © ts 

ks © t\ 

ke © tq 

16 

kq © tq 

k\ © 74 

kq © ts 

kq © 76 

k 4 © tq 

ks © ts 
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3.5 S-box Properties and Probable Generation and Selec¬ 
tion Criteria 

The facts that none of the available descriptions of the algorithm mention anything about 
the S-box selection criteria and that the S-box is the only nonlinear part of the cipher 
make its properties important to study. This has been done using the techniques described 
in [26]. Following the proposed strategy in that article, the S-box was first studied using 
what the authors call the “Pollock” technique. The name alludes to the 20th century 
abstract expressionist painter and simply consists of plotting the S-box’s LAT and DDT, 
studying them to find non-random patterns. The visualizations of the LAT and DDT are 
shown in Figures 3.3 and 3.4, respectively. Inspection of them does not reveal any obvious 
non-random patterns. 

In [27], the study of the visual representation of the LAT modulo 4 is suggested. It notes 
that the presence of patterns there can indicate that the S-box was generated by a Feistel 
network with a low number of rounds. The LAT modulo 4 of the SoDark S-box is shown in 
Figure 3.5. It does indeed show unmistakable patterns. For that reason, the possibility that 
the S-box was generated by a Feistel network was investigated using the techniques described 
in [26]. Algorithm 2 from that article, DecomposeFeistel, was implemented to generate 
a CNF representation of a Feistel network that can generate the S-box. This representation 
was then used as input to the SAT solvers CryptoMiniSat [28] and Treengeling [29], 
which found the problem unsatisfiable. This ruled out the possibility that the S-box was 
generated by a Feistel network with bijective round functions and five or fewer rounds. The 
authors of [27] have noted in an associated presentation, that randomly generated S-boxes 
can have patterns in the LAT modulo 4 that look similar to those in S-boxes generated by 
Feistel networks with more than five rounds. 


With the hypothesis that the S-box was generated by a low round Feistel network falsified, 
the possibility that the S-box was a randomly selected permutation was investigated. In [26], 
the probability distribution of the coefficients in the LAT of a random permutation is given 
as 


P [ci,j = 2z] 


/ 2 "-' 
\2"-^+z 


) 


2 



(3.19) 


where P [c,-y = 2z\ is the probability that a particular combination of input and output bits 
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will have the bias 2z and n is the S-box width in bits. This probability distribution is 
plotted together with the distribution of the SoDark S-box LAT in Figures 3.6 and 3.7. 
The predicted and actual distributions track each other very closely and a test was made 
to establish the goodness of fit. With = 91.3 and 38 degrees of freedom, this yields a 
p-value less than 0.00001, which indicates a very high likelihood that the SoDark S-box 
was chosen randomly. The only selection criteria was probably that there could be no fixed 
points, i.e., no number X 6 {0,1}^ such that f(X) = X. 

It should be noted that the x^ test assumes that each trial in the experiment is independent 
of the other trials. This is not strictly true in the case of the different factors in a LAT. The 
X^ measure is still used here though, since it is believed to be a good approximation of the 
goodness of fit, despite non-independence of the LAT biases. 

The fact that the S-box was chosen at random means that it is unlikely to have the properties 
that are considered important for S-boxes used in modern ciphers. In particular, randomly 
chosen S-boxes are typically vulnerable to both linear and differential cryptanalysis [16]. 
That this is the case here can be understood by studying Figures 3.3, 3.4, 3.6, and 3.7. 
The highest linear bias is slightly higher than the average expected bias of a random 
permutation (see Figure 3.7). In regard to resistance to differential cryptanalysis, the delta 
uniformity (highest value in the DDT) is also high at 14. This can be put in contrast to the 
delta uniformity of S-boxes that have been engineered to provide resistance to differential 
cryptanalysis, such as the AES S-box, where the delta uniformity is 4. The large number of 
high probability differentials in the DDT also means that it has a large number of differentials 
with probability zero. 
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Figure 3.3. Graphic representation of the SoDark S-box LAT. 



Figure 3.4. Graphic representation of the SoDark S-box DDT. 
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Figure 3.5. Graphic representation of the SoDark S-box DDT modulo 4. 
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In/out combinations with bias 2z In/out combinations with bias 2z 


Expected random S-box EAT distribution 
SoDark S-box EAT distribution 
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2z 

Figure 3.6. Linear approximation distribution. 


Expected random S-box EAT distribution 
SoDark S-box EAT distribution 



2z 

Figure 3.7. Linear approximation distribution, logarithmic scale. 
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3.6 Equivalence to the Even-Mansour Construction 

Due to the commutative property of the XOR operation, each round of the algorithm can 
be rewritten as a function of one 24-bit input vector Pr = A \\ B \\ C\ 

Pr+l = g{Pr ® Kr) (3.20) 

where g is a bijective mapping g : {0, {0, \ defined as 

g{X) = g{A II 5 II C) = 5 (A) © B' || B' || 5 (C) © B' (3.21) 

and 

B' = 5 (s(A) © 5 © 5(C)). (3.22) 

The transformation 

T{X) = T(A\\ B \\ C) = A®B \\ B \\ B®C (3.23) 

must also be applied before the first and after the last round to ensure the rewritten algorithm 
is equivalent to the original definition. It follows from the definition of g that it is bijective, 
provided that s is bijective. The SoDark algorithm with r rounds can now be expressed as 

EK{r) = T{g{g{g{g{T{r)®Ki)®K2) ... ©X,_i)©X,)) (3.24) 

where Kr = k\ || kj, || k 2 with values from in Table 3.2. Figure 3.8 shows the algorithm 
expressed in this manner. Decryption is identical to encryption with g~^ in place of g and 
the round keys applied in reverse order. A representation of SoDark-6 can be derived in 
the same manner. 


Ki K2 Kr-l Kr 

II II 

P —►[?}► 0 0 • • • -► 0 -►[g}^ 0 -►[g}^[7^ C 

Figure 3.8. An r-round iterated Even-Mansour construction with round 
function G and initial and final transformations T. 
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From Equation 3.24, it now clear that the algorithm is equivalent to the iterated EM 
construction [30], with g as the random permutation function and the transformation T 
applied to the plaintext and ciphertext. The applications of T and the last application of g 
provide no additional security as their inverses are known. 

3.7 Properties with Respect to Linear Cryptanalysis 

Since the 8-bit S-box had a number of linear combinations of input and output bits with high 
bias, the assumption was made that the prevalence of high-bias linearities would remain in 
the transformation into a 24-bit S-box. It is not feasible to generate the full EAT for a 24-bit 
S-box, since this process has very high time and memory complexities. Eor that reason, 
only a part of the set of possible linearizations has been searched. 

Initially, all combinations of one, two, three, and four input and output bits were searched 
to find good linearizations. This yielded a number of linearizations with significant bias— 
some over 10%. The best linearizations found using this method are presented in Table 3.4. 

In order to find more high-bias linearizations of the 24-bit S-box, a heuristic search algorithm 
was used. Different combinations of high-linearity input masks for the 8-bit S-box and their 
corresponding output masks were tried on the 24-bit S-box. The results of this were 
surprisingly good: Einearizations with up to 14.8% bias were found. The best known 
linearizations for the 24-bit S-box are presented in Table 3.5. 

In all. 111 linearizations with a bias of more than 10% have been found. 

Using a branch and bound algorithm, combinations of the S-box linearizations that approx¬ 
imate five rounds of the cipher were found, i.e., the number of rounds needed for an attack 
of the eight-round variant used in 2G AEE. The biases of those linearizations are so low 
that even if given all 2^^ theoretically possible plaintext messages and their corresponding 
ciphertexts, the probability of recovering key bits faster than brute force is prohibitively 
high. 
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Table 3.4. Linearizations of the 24-bit SoDark S-box found by searching 
all one-, two-, three-, and four-bit combinations. 


Input mask 

Output mask 

Bias 

000060 

002222 

-10.94% 

600000 

222200 

-10.94% 

0000C8 

OOAOAO 

-10.94% 

C80000 

AOAOOO 

-10.94% 

00009A 

000202 

-10.94% 

9A0000 

202000 

-10.94% 


Table 3.5. Best known linearizations for the 24-bit SoDark algorithm S- 
box. 


Input mask 

Output mask 

Bias 

000073 

007777 

14.8% 

730000 

777700 

14.8% 

000024 

009191 

14.1% 

240000 

919100 

14.1% 

OOOOCO 

001515 

-14.1% 

COOOOO 

151500 

-14.1% 
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CHAPTER 4: 
Structural Attacks 


4.1 Measures of Complexity 

The efficiency of a cryptographic attack is measured by its complexity. It provides a 
means of relating the speed of the attack to that of a brute force approach, or to compare 
different attacks with each other. An attack’s complexity can be stated for its time, data, and 
memory requirements. Time complexity specifies how many operations of some kind that 
the attack requires on average. It is normally the most important complexity considered. 
Data complexity specifies the amount of data needed in the form of plaintext-ciphertext 
pairs, or the like, to perform the attack. Lastly, an attack’s memory complexity describes 
the amount of memory that it needs to run. 

For the attacks presented in this and following chapters, complexities are stated in expo¬ 
nential notation. In the case of an attack on r rounds, the unit used to describe the time 
complexity is the number of r-round encryptions that would take the same time to perform. 
As an example, a brute force attack on SoDark— which uses 56-bit keys—is expected to 
have a complexity of 2^^ on average. 

The speed of SoDark implementations is almost entirely dependent on the number of S-box 
operations performed. The number and speed of all other operations required in encryption, 
decryption, and attacks are negligible in comparison. For that reason, the number of S-box 
operations required to test one key in a brute force attack will be used to calculate the 
relative time complexity of other attacks. Testing one key in a r-round brute force attack 
requires 3 • (r - 1) S-box operations. 

For data complexities, the unit used is the number of known ciphertexts, plaintext-ciphertext 
pairs, or plaintext-ciphertext-tweak tuples that are needed to perform the attack with some 
specified probability of success. 

For memory complexities, the unit is the cipher block size. 
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For time complexities in particular, the actual complexity required to perform an attack may 
vary. This is both because of the “luck” aspect—the correct key could be among the first 
or last tried—but also because the number of matching differentials in some intermediate 
state of the cipher may be unusually high or low. In the calculations of time complexities, 
the average number of one-byte keys implying a specific one-byte target differential was 
used. This number is believed to result in the best estimates of average-case performance. 
It was calculated from the SoDark S-box DDT as « 2.6. Over the set of all 

possible one-byte keys, the average number of possible output differentials for a given input 
differential to the S-box is « 100. Both these averages exclude the zero differential, 
which only implies itself. 

4.2 Attacks on Iterated Even-Mansour Constructions 

It is immediately apparent that one round of SoDark provides no security at all since, 
given one plaintext-ciphertext-tweak tuple (f’, C, T), the key can be recovered by TC = 
g~^{C) ®'P®T. Two rounds of the algorithm is equivalent to the original one-round EM 
construction described in [30]. 

Known and chosen plaintext attacks on the EM construction corresponding to the lower 
bound proven by Even and Mansour in [30] are presented by Daemen in [31]. Eor the 
case of two independent subkeys of size n, Daemen shows a known-plaintext attack with an 
average time complexity proportional to 2"“^ and a chosen plaintext attack with complexity 
proportional to 25. Both of these are significantly faster than the 2^” complexity of a brute 
force attack. Thus, the two-round SoDark-3 algorithm provides at most 12 bits of security 
in regard to this attack. Eurther insight is given by [32], which shows that independent 
subkeys in the single-round EM construction provide no added security compared to a 
construction with identical subkeys. 

Attacks on various iterated versions of the EM construction are presented in [33], [34], 
and [35]. Notably, [34] demonstrates that, for < 4 rounds with two independent keys used 
in any order throughout the rounds, the time complexity for recovering the keys is at most 
proportional to 2". (An r-round iterated EM construction uses r -l- 1 keys.) 
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Generalizing, [36] shows that the an r-round iterated EM construction with independent 
round keys has an upper security bound of r -2^ queries to an oracle, where n is the block 
size. The article also shows an attack for an r-round iterated EM construction with time 
complexity proportional to 2^. 

While attacks on the SoDark cipher that consider it as an EM construction are directly ap¬ 
plicable, they are suboptimal because they regard the 24-bit S-box as a random permutation. 
In reality, it is a combination of three 8-bit S-boxes (see Equations 3.21 and 3.22). This 
structure can be used to mount the more efficient attacks described in the following sections. 

4.3 Known-Plaintext Attack on Two-Round SoDark-3 


The calculations for two rounds of encryption using SoDark-3 are: 

^(1) = ^1^(0) 0^(0) ^^1 

C(i) = 5 © 5^°) © k2 © ta) (4.2) 

^(1) ^ ^ ^(1) ^ ^(1) ^ ^ (43^ 

^(2) ^^|3(i)©5(i)©^4©^^j (4.4) 

= 5|c(i)©5(i)©yt5©t5) (4.5) 

5(2) ^ ^ 3(2) ^ ^(2) ^ ^ _ (4_g^ 

Since the inverse 5“^ and tweak is known 

5(2) = 5-1 ^5(2) j © ^2) ^ q {2) ^ ^ 5(1) ^ ( 43 ^ 

d 2 ) = 5-1 (c( 2 ) j ®ts= © 5(1) © ks (4.8) 

a(2) = 5-1 |a( 2) j © © 5 ( 1 ) © k4 (4.9) 

can be calculated. Erom Equations 4.1 through 4.6, it is also evident that 

A'^2) = © 5*^°^ © ki © d j © © ^3 © tsj © k4 (4.10) 
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and 


(j(2) ^ ^ ^(0) ^ ^ ^ ^ ^(1) ^ ^(1) ^ ^ ^ 

Now, given two plaintext-ciphertext-tweak tuples, the differentials AC*'^^ and 

can be calculated: 

AA*^^^ = Af^ © A^^^ © 5® © 

= © 5^°^ © ki © tij j © 5 ( 5 ^°^ © A^j^^ © © ^3 © i3j j © 

5 (a^°^ © Bf^ © ki © ii,2] © © A^^^ © © ^3 © ^34] © 

'' ’ / V ’ / (4.12) 

5^5^°^ © A^j^^ © © ^3 © i3,i j © 5 ( 5 ^°^ © A^^^ © © ^3 © t3,2j 

= 5(a^°^ © Bf^ © ki © iij) © 5 (a^°^ © Bf^ © ki © 

Ax 2 nI/ ^*^2 

Ac(l) = ^( 2 ) ^ ^(2) ^ ^( 2 ) ^ ^( 2 ) 

= © Bf^ ®k2® i2,i] ® ® ® cf ^ © ^3 © i3,i j © 

s(cf^ © Bf^ ®k2® ^ 2 , 2 ) ® ® ^2 ^ ® cd ®k3® ^ 3 , 2 ) © 

^ ’ / V ’ / (4.13) 

5(55°^ © A^^^ © © ^3 © i 3 ,i) © 5(5^°^ © A^^^ © ® k 3 ® ^3,2) 

= © Bf^ ®k2® i2,i] ® ® ®k2® i2,2] 

— ^ ^(1) 

A5(°) = 5-1 ( 5 ^ © ke) ® [b^ © ke) © AA^^^ © AC^^^ © ^,1 © h,2- (4.14) 

Equations 4.12, 4.13, and 4.14 show that the candidates for key bytes k\ and ^ 2 , and k(, 
can be searched independently of each other and the other key bytes. Each value of ki, 
k 2 , and k(, will imply a value for AA*^^\ AC*^^\ and AB^^\ respectively, and those that do 
not generate the differential calculated from the ciphertext—or the plaintext in the case of 
^6—can be immediately discarded. This process is shown in Eigure 4.1. 
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C(0) 

I 



^4 © ^4 —► ^ k(, ® t(, —► ^ 

A(2)| 


Figure 4.1. Attack on two-round SoDark-3 by guessing key bytes ki, 
k 2 , and k^ independently and matching the results with and 

The parts of the cipher marked in blue are known or can be calculated 
without guessing any part of the key. 


On average, 2.6 eandidate values eaeh for ki, k 2 , and k(, are expeeted as a result of this 
seareh. Now, for eaeh possible tuple ki, k 2 , k(„ the values of k^, ^ 4 , k^ are ealeulated. If 
the values of those mateh for both plaintext-ciphertext-tweak tuples, we have a candidate 
key that can be verified against further plaintext-ciphertext-tweak tuples. The full attack 
process is described in Algorithm 4.1. 
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In calculating the time eomplexity of the attaek, we first note that 2^ keys have to be tested 
for eaeh of k\,k 2 , and k(,. Eaeh test uses two S-box operations. This will yield, on average, 
2.6^ « 17.6 eandidate ki,k 2 ,k(, tuples. For eaeh of those, k^,, k^, and ks are ealeulated 
using both plaintext-eiphertext-tweak tuples. This requires six S-box operations per key 
tuple, but some of those ean be eaehed in between iterations, see Algorithm 4.1. Therefore, 
the total average time eomplexity of the two-round attaek is 

6 • 2 ^ + 2 • 2.6 + 2 • 2 . 6 ^ + 2 • 2 . 6 ^ ^9 

3 * 

Any pair of plaintext-eiphertext-tweak tuples that satisfy 

AA*^°^ © A5'^°^ © tij © 0 

© A5*^°^ © t2,i ® t2,2 0 

AA*^^^ © A5*^°^ © AC'^^^ © iyi © i3,2 0 

ean be used in attaek. Sinee the number of tuple pairs that does not satisfy this requirement 
is quite small, the attaek works for virtually any pair, making the data eomplexity 2. The 
memory eomplexity is 2 ‘^ ^ 


(4.15) 


(4.16) 

(4.17) 

(4.18) 
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Algorithm 4.1 Perform a known-plaintext attaek on two-round SoDark-3 and print all 
eandidate keys. 

1; procedure CrackTwoRounds(^i, Ci, 7T, V2 , C2 , ‘ T2 ) 


Bf. 

Af) . 

4 ( 2 ) 

AA(1) 
A(2) ^ 


-1(5^) 


) ® t4,l 

© t4,2 


® ?6,1 
® t6,2 




^2 " 

Ac(i) ^ © cq © AB^^> 

<— empty list 
Lk 2 empty list 
Lk^ <— empty list 

for all ki do > 2^ possible 

if 5 (Af^ © Bf ®ki® ii,i) © 5(Af © Bf ®ki® A, 2 ) = AA(1) then 

Lfej.append(ki) 

end if 
end for 

for all k2 do > 2^ possible 

if 5(q^°^ © Bf ®k 2 ® t 2 ,i) © ^ © Bf ®k 2 ® t 2 , 2 ) = then 

Lfe2.append(k2) 

end if 
end for 

for all k(, do > 2^ possible 

if s~\Bf © ke) © s~\Bf © ke) © AA'^^^ © AC*^^^ © ^3,1 © is,2 = then 
Lfeg.append(k6) 

end if 
end for 


rHq 

r\cf) © is,2 




ki © ii,i) © 


> 2^ possible ki 
if ® ki ® ii, 2 ) = AA^^^ then 


Bf ®k2® i2,2) 


> 2^ possible k 2 

then 


> 2^ possible ke 


43 




30: 

31: 

32 

33 

34 

35 

36 

37 
38: 
39: 
40: 
41: 
42: 
43: 

44 

45 

46 

47 

48 

49 

50 

51 

52 

53 

54 


for all k\ 6 Lyti do 

<- ®ki® ?i,i) 

®ki® ?i,2) 

for all k2 6 Lk2 do 

^ 5 (cf^ ®Bi®k 2 ® t 2 ,l) 

^ 5 (cf © 52 © ^2 ® t 2 , 2 ) 

for all k(, 6 Lfcg do 

5 ;^^ ^ Bf^ © ke 

5^^^ ^ B^^ © ke 

k3,i ^ Bf^ © © s~\Bf^) © ?3j 

k3,2 <- © A^^^ © ^ ® ^3,2 

^4,1 ^ © A^/^ © A® 

k4,2 <- 5^^^ © A^^^ © A® 

k54 ^ B^^^ © © Cf^ 

ksa ^ © cf ^ 

if k34 = k3^2 and k^^ = k^^ and k^^ = ks^2 then 
k 3 ^ ^3,1 

k^ <— ^44 

^5 ^ ^5,1 

PrintC^i II k2 II k3 II k4 II ks || ke) 

end if 
end for 
end for 
end for 

end procedure 


> Average 2.6 k\ 


> Average 2.6 k 2 


> Average 2.6 k(, 
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4.4 Known-Plaintext Attack on Three-Round SoDark-3 

The attack on three-round SoDark-3 is a direct extension of the two-round attack described 
in the previous section. The encryption process is analogous to the one shown in Equa¬ 
tions 4.1 through 4.6 and the last round can be partially reversed to calculate and 

using the method shown in Equations 4.7 through 4.9. 

The attack is shown graphically in Eigure 4.2. It uses the fact that two of the three bytes 
in the first and last round keys are identical to perform partial differential matching in the 
middle round. 

Eirst, by guessing key byte k 2 , can be calculated from the plaintext as 

= 5 (cf^ © Bf^ © k2 © i2,i) (4.19) 

5 (cf © © k 2 © t2,2) (4.20) 

Ac(i) = cji) 0 ^(1) (4 21) 


and, by calculating AA*^^^ and AC*-^^ in the same way as in Equations 4.12 and 4.13, A5*^^^ 
can be calculated from the ciphertext as 

A5(1) = AA(2) © Ad^) © 5-1 I^Bf^ © ^^ 2 ) © 5“^ © ^ 2 ) ® t 6 ,i ® t6,2- (4.22) 

Now, the value of AC*^^^ can be compared with A5*^^^ © AC^^\ where AC*^^^ is calculated by 


guessing k\ in addition to k 2 : 

Bf = Sf © k2 (4.23) 

Bf = Sf © k2 (4.24) 

Cf^ = Bf © Cf^ © ki (4.25) 

Cf^ = Bf © Cf © ki (4.26) 

AC(2) = 5-1 (cf^) © 5-1 (cf) © 1 © 2 . (4.27) 


If AC*^^^ and A5*^^^ © AC*^^^ are equal, the k\, k 2 pair is a candidate for those key bytes. This 
is expected to happen with probability 2 ^, resulting in 2 ^ candidates for k\, k 2 . 
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ki, kj ; 



; ki, k2 


Figure 4.2. Attack on three-round SoDark-3 by first guessing key bytes 
ki and k 2 independently and matching on In the case of that match, 

k-j is guessed and matching on is performed. The parts of the cipher 

marked in blue are known or can be calculated without guessing any part of 
the key. 
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For each candidate pair k\, k 2 , possible values for ki are then sought. This is done by 
guessing ki and comparing to 


A^^^ = ^(Af © ®ki® ti,i) (4.28) 

4^^ = © Bf^ ®ki® ti,2) (4.29) 

AA^i) = A^/^ © A^^^ (4.30) 

Af=Af©5P©/t7 (4.31) 

Af = Af © Bf © kn (4.32) 

AA^^^ = 5“^ ^Af^ j © 5“^ (a^^^ © t4,i © t4,2- (4.33) 


As before, if AA*^^^ and A5*^^^ © AA^^^ match, then the tuple ki, k 2 , ki is a candidate for those 
key bytes. For the same reason, we expect 2^ candidates for k\, k 2 , h to remain after this 
step. 

Finally, for each candidate tuple k\, k 2 , kj, possible values of k^ are found by checking that 
the value of ^4 implied by a guessed k^ is the same for both plaintext-ciphertext-tweak 
tuples: 

^4 1 = © 5^°^ © ^3 © tyi j © 5 “^ ^A^^ © 5^ © kvj © A^J^^ © t44 (4.34) 

^ 4,2 = ■^(^2 ^ © € 2 ^ © Bf^ ®k3® t3,2j © 5 “^ (4^^ © B^^ © kvj © A^^^ © t4,2. (4.35) 

Then, the values of ks and k(, can be calculated from the values already known, thus yielding 
a full candidate key: 

ks = 5-1 (cf© 55 ^^ © cf ^ © t5,i (4.36) 

ke = 5 “^ © Af © Cf © 5f © t6,i. (4.37) 

The complete attack is shown in Algorithm 4.2. Calculation of the time complexity is done 
in the same way as for the two-round attack with the help of the algorithm description: 


8 • 2 ^ + 6 • 2^6 
6 


216 . 


(4.38) 
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It is also clear from Algorithm 4.2 that no memory in addition to registers is needed to 
perform the attaek. Like in the two-round ease, the data eomplexity is 2. 
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Algorithm 4.2 Perform a known-plaintext attack on three-round SoDark- 3 and print all 
candidate keys. 

1 : procedure CrackThreeRounds(^i, Ci, 7T, V 2 , C 2 , Ti) 

o. d(3) . „-1/d(3)\ ^ /t(3) „ ^(3) ^ 


fif ^ <- ® ® il,2 

A5(2) ^ 5 ( 3 ) ^ ^(3) 

^ ) ® t7,l 


^ ® tl,2 

AA(3) <— A^^ © A^^^ © Afi(3) 

c(3)^^-l(cf))©?8,l 

Cf ^ 5-1 (Cf) © is ,2 
AC(2) ^ cf ^ © C® © Afi(2) 

for all k 2 do 

^ © Bf^ ®k 2 ® t 2 ,l) 

4^^ ^ 5(Cf ^ ^ © k2 © t2,2) 

AC( 1 ) ^ cf ^ 

5 ( 2 ) ^ ^(3) ^ 


> 2^ possible ^2 


5® © k2 


Afi(l) <- AA(3) © AC*^3) 0 5-l(5p) © 5“F52 ) ® ^6,1 ® ^6,2 

for all ki do 

Cf ^ ^ 5^ © Cf ^ © ki 
Cf^ ^ Bf © Cf^ © ki 

\n(T) , o-ir/^(2)x ^ i/^(2)n ^ ^ y-_ 


> 2^ possible ki 


AC(3) <- 5“1(CP) © ® ^5,1 ® ^5,2 

if AC(i) = Afi(i) © AC(2) then 

A^/^ <- 5(A^°^ © 5®^ © ki © iij) 

A^^^ ^ 5(A®^ © 5®^ © ki © ii,2) 

Aa(i) ^ A^^^ © A^^^ 
for all kq do 

Af^ <— A^^ © 5^ © kn 
A^^ <- A^^^ © bS^'^ © ki 

/i(2) ^_ „-!/ /l(2)'v ^ y., _ 


> True with probability 2 


> 2^ possible kj 


A^j ^ ^ s~\A\ 0 © i4,i 

A^^^ <- 5“H^2^F ® t4,2 
aa(2)^a?)©aF^ ’ 


a(2) 0 a(2) 

.tl2 M./' 
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if © AA^^^ then > True with probability 2 ~^ 

for all do > 2^ possible 

k4,i <- © Bf^ © ^3 © t3j) © Af^ © A^J^^ 

k4,2 ^ 5(^2 ^ ® ® © ^3 © t3,2) © A^2 ® ^2 ^ 

if k44 = A:4,2 then > True with probability 2 “^ 

k4 <— k44 

ks ^ 5“HcP) ® © Cf ^ © i5,i 

ke ^ © Af^ © cP © © t6,i 

PRiNT(fci II k2 II ks II k4 II ks II ke || h) 

end if 


end for 
end if 
end for 
end if 


end for 
end for 

end procedure 
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4.5 Known-Plaintext Attack on Four-Round SoDark-3 

Figure 4.3 shows the four-round attack. The basic principle of partial differential matching 
remains the same. This time the sieving is done using 


The main loop of the attack iterates over all possible values of k 2 and kj,. In each loop, a list 
that associates the values of k 4 and with values of ks, and is built from 

the ciphertexts using the following calculations and iterating over all values of ^4 and ks: 


Bf'> = 5-1 © Af © Cf © k5 © i4,i (4.39) 

5® = 5-1 ( 5 ^© Af © © ks © i4,2 (4.40) 

Af = 5-1 (a^) © Bf © ks © t2,i (4.41) 

Af = 5-1 (a^ ) © Bf © ks © t2,2 (4.42) 

Cf^ = 5-1 (cf© Bf © k4 © h,i (4.43) 

C® = 5-1 © Bf © k 4 © is ,2 (4.44) 

Bf = 5-1 © Af © Cf^ © k2 © 0,1 (4.45) 

Bf> = 5 "^ ( 5 ^^^j © A® © © ks © ii,2 (4.46) 

Af = 5-1 (Af^) © 5^ © 0,1 (4.47) 

A® = 5-1 (a^ ) © © ti2 (4.48) 

AA(2) = ^(3) ^ ^ 0 ) 

Cf ^ = 5-1 (cf) © 5^ © i8,i (4.50) 

C® = 5-1 (cf ^ © 0,2 • (4.51) 
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k\, k2, kT,, k4 


ki, kj,, k4, ks 



ki, k2, k^, ks 


k2, k^, k4, ks 


Figure 4.3. Attack on four-round SoDark-3 by matching on AA^^\ The 
parts of the cipher marked in blue are known or can be calculated without 
guessing any part of the key. 
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With the list built, the next step is to iterate over all possible values of k\ and k 4 and calculate 
from the plaintexts: 


© Bf'’ ®ki® ti,i) (4.52) 

^2^ = ®ki® ^ 1 , 2 ) (4.53) 

Cf ^ ^ © Bf ®k2® t2,i ) (4.54) 

© Bf ®k2® 12 , 2 ) (4.55) 

© Bf © ®k2® t3,i) (4.56) 

^ 2 ^^ = © Bf © ®k2® ^ 3 , 2 ) (4.57) 

Af = © 55 ^^ ®k4® t 4 ,i) (4.58) 

A® = © ^4 © t4,2j (4.59) 

= Af ® Af. (4.60) 


For each value of AA*^^^ calculated from the plaintext, the corresponding entries in the list 
calculated from the ciphertext are retrieved. Each entry will contain the implied value of 


ks and allow the calculation of k\, k^,, and ki: 

cf^ = 5 ( 55 ^^ © ®ks® t 5 ,i) (4.61) 

cf ^ ^ (^2^^ ® C^2^ ®k5® ^ 5 , 2 ) (4.62) 

ki,i = cP © Cf ^ (4.63) 

ki,2 = Cf ^ ® Cf ^ (4.64) 

/tgj = © Af © cP © t6,i ® (4.65) 

^ 6,2 = © Af © Cf^ © t6,2 ® 5 “^ (4.66) 

/tvj = Af © Af ^ (4.67) 

^7,2 = A^^^ © (4.68) 
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Finally, good matches can be identified by eheeking that k\ = kij = ki^, ke,i = k(,^ 2 , and 
ki,\ = kT^ 2 - Algorithm 4.3 shows the attaek process. That deseription is again used to 
ealculate the time eomplexity of the attaek whieh is 


2 • 2^ + 4 • 2^4 + 8 • 2^2 + 4 • 2.6 • 2^2 
9 


(4.69) 


The list used in the attaek requires memory equivalent to about 2 ^ 2-6 blocks. The data 
eomplexity remains 2 . 
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Algorithm 4.3 Perform a known-plaintext attack on four-round SoDark-3 and print all 
candidate keys. 

1: procedure CrackFourRounds(^i, Ci, 7T, V2 , C2 , T2 ) 

2 : ^ © t4,i 

3: ^ © Af © © U 2 

4: 

5; ^ s -^{ Af )® t 2,2 

6 : ^ s-\cf^)®t2,i 


^ © i3,2 

for all k2 do 

<- s{Bi ®Ci®k 2 ® t 2 ,\) 

C2 ^ ^{^2 ® C2® k 2 ® ^2,2) 

for all ^3 do 

L <— empty list 
for all ^4, ks do 

5(3) ^ 5(4) ^ 


^ © ^3 

A^"^^ © © ^3 

cf ^ © fif ^ © k4 
4"^^ © 54 © k 4 


> 2 ^ possible ka 


> 2 ^ possible ^3 
> Indexed by k^, AA*^^) 
> 2 ^^ possible k^, ks 


^ q"' © q-’' © k4 
Bf ^ s-\Bf) © Af © 4^^ 
Bf ^ s-\Bf) © Af © 4 ^^ 
A® ^ 5“HAf^) © 5^ © ti4 
A® <- ■^“HA2^^) © Bf^ © t -12 
4^^ ^ 5-^4^^) ® ® ^ 8,1 

4 ^^ ^ ® ® ^ 8,2 

AA(3) <— ^ © A^^^ 

L.append(k 4 , AA’^^)^ ^( 3 )^ 


© ^2 © ^ 1,1 
© ^2 © tl,2 


end for 
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for all k\ do 

<- © ?ij) 

<- 5(A^°^ © 5^°^ © fci © ti^i) 

5^^^ <- siBf'’ © A^/^ © © ^3 © ?3,i) 

<- s{Bf^ © A^^^ © € 2 ^ © ^3 © ?3,2) 

for all k 4 do 

Af^ <- 5 (A^j^^ © 5^^^ © ^4 © ?44) 

<- 5(A^^^ © 5^^^ © ^4 © t4,2) 

AA(2) <— Af^ © Af^ 

for all ks, Af\ Af, cf\ cf \ Bf\ Bf 6 

Cf^ ^ 5 ( 55 ^^ © ®k5® t5,\) 

^ © ^5 © ?5,2) 

fci,i ^ CP © cf ^ 

^(0\ ^(X\ 


> 2^ possible k\ 

> 2^ possible k 4 


L{k4, AA(2)] do 

>2.6 iterations on average 


ki,i ^ Cf’ © Cf ^ 
h,2 ^ Cf ^ © Cf 

k 6 ,i ^ ® ® cP © 55^^ © t6,l 

%i ^ s~\Bf^) © Af^ © © 5^^^ © t6,2 

k-14 ^ Af ^ © Af ^ 

ki,2 ^ ^^2 ® 
if ki = ki 4 = ki 2 and ke,,i = k (,^2 and kj^ = kq^ then 
ke <— k(,4 

ki <— ki4 


end if 
end for 
end for 
end for 
end for 
end for 

end procedure 


ke <— ke,\ 

^^7 \ 

PRiNT(fci II k 2 II ^3 II k4 II ks II ke || kq) 

lif 

r 
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4.6 Known-Plaintext Attack on Five-Round SoDark-3 

The attack on five-round SoDark-3 is structurally simpler than the previously described at¬ 
tacks and can be described entirely by treating the cipher as an iterated Even-Mansour 
construction. It is shown in Figure 4.4. Since the first two rounds use key bytes 
k\, k 2 , k% k 4 , ks, k(, and the last two rounds use key bytes ki, k% k^, ks, ke, k-j, sieving can be 
done in the middle by comparing differentials, thus bypassing the third round key bytes. By 
looping over the common key bytes ki, k^,, ^ 4 , ks, k^ in an outer loop, the memory require¬ 
ments are decreased significantly when compared to a standard MITM attack. The attack 
is equivalent to the three-subset MITM attack described in [37]. 


^123 ® ^123 ^456 ® ^456 ^712 ® ^781 ^345 ® ^234 ^671 ® ^567 

I I I I I 

p 0 0 0 0 0 C 


k\, ^ 2 , k^, k4, ks, k(, 


ki, ks, k4, ks, ^ 6 , k-] 


Figure 4.4. Attack on five-round SoDark-3. 


Using the notation from Equation 3.24, the attack works by calculating 

= gioiTCPl) ® kl23 ® tl23,l) ® ^456 ® t456,l) ® ^781,1 (4.70) 

V2 = gioiTCPl) ® ^123 ® 023 , 2 ) ® ^456 ® 055 , 2 ) ® 081,2 (4.71) 

At) = ai © V2 (4.72) 

for all possible values of ki, k 2 , k^, ^ 4 , ks, kf, and storing them in a list indexed by Aa. Then 
the same calculation is done for all possible values of ki, k^, ^ 4 , k^, k^, kj 

w\ = g ~^ {^ g ~^ {^ g ~^ {T{C\)) © ^571 ® 067,1 j ® ^345 © 034,1 j (4.73) 

W 2 = g~^ {^g~^ {^g~^{T{C 2 )) © ^571 © 067,2 j ® ^345 © 034,2 j (4.74) 

Aia = lai © W 2 - (4.75) 
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The value Aw is then used to look up the key bytes k\, k2, kj,, k4, ks, k(, in the list. If the 
common key bytes k2, k% k^, ks, ke, match, the candidate key can be tested against more 
plaintext-ciphertext-tweak tuples. 

Algorithm 4.4 implements the attack. The following time complexity is calculated from 
that algorithm: 

12 • 2^0 ( 2 ^ + 2 ^) 

- ^ ( 4 . 76 ) 

12 

The generated list uses 2 ^ blocks of storage and the data complexity is still 2 . 


Algorithm 4.4 Perform a known-plaintext attack on five-round SoDark-3 and print all 
candidate keys. 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 
19 


procedure CRACKFivERouNDs(f’i, Ci, 7T, ^ 2 , C 2 ,7^) 

for all k\, ^3, ^4, ks, k(, do > 2 “^® possible k\, k^, k^, ks, k(, 

L empty list 

for all k 2 do > 2 ^ possible k 2 

t'l ^ 9i9iT{7^l) ® ^123 ® 623,1) ® ^456 ® ^456,l) 

^ 9(9(Ti'P2} ® ki23 ® 623,2) ® ^456 ® ^456,2) 


At; <— 1^2 ® V2 

L.append(Ay, k\) 

end for 

for all kj do > 2^ possible kj 

wi <— © keii ® 667 ,i) ® ^345 © 634,1) 

W2 <— g~^(g~^(g~^(T(C2)) © ^571 © 667,2) © ^345 © 634,2) 

Aw <— Wl ® W2 
for all ki 6 L[Ai(;] do 

PRiNT(ki II k2 II ^3 II k4 II ks II k(, II kj) 
end for 
end for 
end for 

end procedure 
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4.7 Chosen-Tweak Attack on Six- and Seven-Round 

SoDark-3 

Structural attacks of the types described previously, where the cipher is split in parts that 
use different subsets of the full seven-byte key, cannot be extended beyond five rounds. 
Nonetheless, for certain combinations of plaintext, ciphertext, tweak, and key, it is possible 
to predict part of the internal state of the cipher from the ciphertext alone. 

For the six-round attack, consider two plaintext-ciphertext-tweak tuples where P\ Pi, 
C\ = Cl and all bytes in the tweak are identical except for ^51 ts,i. The key schedule in 
Table 3.2 shows that this is possible if and only if = Ats = tsj © ts,i, A5*^^^ = 0, and 
= 0 . This known internal differential can be used to calculate AB^^^ and AC*^^^ in the 
following way: First, 

AB^^'> = AA^^) © ( 5 ^^) © AC^^^ © At4. (4.77) 

Since B^^^ = B^\ AC*-^^ = 0, and At 4 = 0, this reduces Equation 4.77 to 


AB^^^ = AA^^) = Ats. 


(4.78) 


For the same reason. 


Ad^) = ^5(3) ^ ^-1 j ^ ^-1 1 ^( 4 ) j ^ 
= A5(3) = AA(4) = Ats. 


(4.79) 


This knowledge allows sieving of possible k\, ki, k% k^, ks, k(, by calculating AC*^^^ from the 
plaintexts. The process is illustrated in Figure 4.5. 

Unlike the previous attacks, which work on arbitrary message tuples, the attack on six 
rounds requires a specific output differential. The first step of the attack is therefore to find a 
plaintext-ciphertext-tweak tuple that satisfies it. Assuming that the cipher’s randomization 
properties after four rounds are good,^ all differentials after the fourth and subsequent 
rounds have probability The number of pairs of plaintext-ciphertext-tweak tuples n 

'This is investigated in [5]. 
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k\, k2, kT,, 
k4, ks, k(, 


Figure 4.5. The first four rounds in the attacks on six- and seven-round 
SoDark-3. 
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required for one of them to have the required output differential with 50% probability is 
therefore 


1 - 2 ' 


-24 


1 

2 


log 5 


n = 


log (224 - 1) - log (224) 


11,629,080. 


(4.80) 


Unlike in a normal birthday attack, the required pairs of plaintext-ciphertext-tweak tuples 
must be formed so that each tuple in the pair has a different tweak. The most efficient 
way to achieve this in an oracle model is to generate plaintext-ciphertext-tweak tuples for 
two different tweaks with tsj ts ,2 and all other tweak bytes identical. This way, with n 
generated tuples per tweak, rP' tuple-pairs can be formed. Thus, only VI 1,629,080 « 3410 « 
2 ^ ^ -2 tuples are required for each tweak in order to find the required output differential with 
50% probability. This is, in effect, a version of the birthday paradox with two subsets. 


Algorithm 4.5 performs the six-round attack. Since the filtering step can be done without 
any S-box operations, its time complexity can be neglected. The only source of complexity 
that remains is the calculation of which is 


2.2^ + 2 • 2^6 + 2 • 224 + 2 • 2^2 + 2 • 240 + 4 • 248 

15 


(4.81) 


No memory in addition to registers is needed for the attack. Figure 4.6 shows the trade-off 
curve for the relationship between the number of available tuples and probability of success. 


The attack is extended to seven rounds by the addition of an initial filtering step to find a 
pair with the correct fourth-round differential. For each generated pair of tuples, calculate 


AA(2) = Af ^ (4.82) 

AC(2) = ^(7) ^ (4 33) 

If AA*^2) = 0 and AC*^^) = q, continue by calculating 

© Af ^ © Cf ^ © t5,i (4.84) 

^ © A^^^ © © t5,2 (4.85) 

A5(6) = 5(7)©5(7)_ (436) 
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Figure 4.6. Trade-off curve between data and probability of success in the 
case with two sets of tweaks of same size. 


If = 0, the pair has the required fourth-round differential and the cipher can be 

attacked in the same way as the six-round version. Note that this filtering step does not 
involve guessing any key bits. 


The addition of a filtering step increases the time complexity for an attack with 50% 
probability of success by a negligible amount: 


2 • 11,629,080 + 2 • 2^ + 2 • 2^6 + 2 • 2^4 + 2 • 2^2 + 2 • 2^0 + 4 • 2^8 

18 


(4.87) 
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Algorithm 4.5 Perform a chosen-tweak attack on six-round SoDark-3 and print all candi¬ 
date keys. 

Require: C\ = C 2 , ii,i = ii, 2 , h,i = h, 2 ^ h,\ = h, 2 , k,i = k, 2 , k,i ^ k, 2 , k,i = k, 2 , k,i = k, 2 , 

h,i = h,2 

1; procedure CrackSixRounds(^i, Ci, 71, V 2 , C 2 , Ti) 

2: Ats = © ts2 

3: for all k\ do 

4: <- © ki © ti,i) 

5: © Bf^ © ki © ti,2) 

6: for all k 2 do 

7: cf'’<^s(Cf^®Bf^®k2®t2,l) 

8 ; ^ sicf^ © Bf^ ®k2® t2,2) 

9; for all ks do 

10; © Bf^ © © ks © iyi) 

11: B^^^ ^ © Bf^ © © ks © i3,2) 

12: for all k 4 do 

13: Af^ <- © k4 © t4,i) 

14; Af^ <- © ^4 © i4,2) 

15; for all ks do 

16: Cf^ <-© ks © i5,l) 

17: Cf ^ <- 5(C2^^ © ^2^^ © ks © is, 2 ) 

18 : for alike do 

19; 5^ <- © cP © ke © iej) 

20; <- s(Af^ © B^2^ © cf^ © ke © ka) 

21: <- s{cf^ © 5^ © ki © i8,l) 

22: <- s{cf^ © bS^'^ © ki © is, 2 ) 

23: AC(3) ^ cf ^ © Cf ^ 

24: if AC*^^^ = Ais then 

25: PRiNT(ki II k2 II ks II k4 II ks II ke) 

26: end if 

27: end for 

28: end for 

29: end for 

30: end for 

31: end for 

32: end for 

33; end procedure 
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4.8 Chosen-Tweak Attack on Eight-Round SoDark-3 

The attack on six and seven rounds in the previous section can be extended to an attack 
on eight rounds, i.e., the full Lattice algorithm from the 2G ALE standard. Unlike the 
previous attack, the required output differential cannot be identified with certainty. It can, 
however, be identified with high probability. Figure 4.7 shows the last two rounds of the 
eight-round SoDark-3. The sought differential after the fourth round exists if and only if 
= AC*^^^ = 0 and = At^. In that case, 

AA^^) = AA^^) © AB^^'> = A5(^) (4.88) 

AC^^^ = AC^^^ © A5(^) = A5(^) (4.89) 

and therefore 

AA^^) = AC^^) = AB^^\ (4.90) 

This differential just before the eighth round S-boxes therefore indicates a high probability 
that the seventh round differential is the required one. An attack that has 50% probability 
of success requires 11,629,080 plaintext-ciphertext-tweak tuple pairs, see Equation 4.80. 
The average number of candidate pairs remaining after the filtering step in that case is 
2-16 • 11,629,080 « 177.4 « 

For plaintext-ciphertext-tweak tuples that satisfy Equation 4.90, the assumption is made 
that they have the correct fourth-round differential and the values of that cause 

AB^'^'> = 5-1 ^ 5-1 © A^j^^ © cf^ © ^3 © t8,i j ® 

5-1 ( 5-1 © A^^^ © © ^3 © t8,2) (4.91) 

= t5,l ® h,2 

can be calculated. Candidate pairs remaining after the first filtering step will satisfy this 
relationship with probability In the 50% probability of success case, this will result in 
177.4^ « 69.3 « 26 I remaining candidate pairs. 

For each remaining pair, the values of ki, k 2 , ks, ^ 4 , ks, ke that give AC*^^^ = Ats are searched 
for using the same method as in the previous six- and seven-round attack, with the exception 
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I 

? 

5(8) 

Figure 4.7. The last two rounds in the attack on eight-round SoDark-3. 

that only the values of that satisfy Equation 4.91 for that pair are tried. We expeet eaeh 
eandidate pair that survived filtering step two to have 2.6 eandidate values for kj, on average. 

We ean now oaleulate the total time eomplexity for the eight-round attaek: 

^ ■ (6- 11,629,080+ 4-2^-5 -2^+ 

21 \ 

/ or; W (4-92) 

2 ‘1 . 2 ■ 2 * + 2 ■ 2 “ + ^ ■ (2 ■ 22“ + 2 ■ 2 ” + 2 ■ 2« + 4 ■ 2«) U 2« >. 
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The complexity of this attack is lower than the attacks on six and seven rounds presented 
in the previous section. This is because the differential after the next to last round—which 
is known with high probability—is used to deduce information about part of the key. Like 
in the six- and seven-round attacks, 2^^-^ plaintext-ciphertext-tweak tuples are required to 
recover the key with 50% probability. The memory requirements also remain the same. No 
memory in addition to registers is required. 


4.9 Experimental Verification 

All attacks described in this chapter have been implemented in the C programming language 
and verified in practice. The implementations are publicly available [38]. 
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CHAPTER 5: 

Logic Circuit Representations of the SoDark S-box 


5.1 Introduction 

For the attacks in the following chapters, an efficient logic circuit representation of the S-box 
is needed. Such a representation describes the relationship between the inputs and outputs 
of the S-box as a circuit of logic gates. A logic circuit implementation of an S-box considers 
each of the S-box output bits as a separate Boolean function of the same input variables. 
In the case of the SoDark S-box with eight inputs and eight outputs, this means eight 
Boolean functions of eight input variables. This is in contrast to representing the S-box as, 
for example, the algebraic normal form (ANF) of the Boolean functions it implements, or 
as a lookup table. 

Since finding the optimum logic circuit for a given S-box is a NP-complete problem and 
is intractable even for very small S-boxes, heuristic methods must be used in all but very 
special cases. Although these heuristic methods are significantly faster than a brute force 
search, they are still quite slow and take a fair amount of time to perform, even on modern 
computers. In particular, for the logic circuit representations presented later that use 3-bit 
lookup tables (LUT), use of the NFS Hamming high-performance computing cluster was 
necessary. 

In [19], Biham presents an algorithm for generating a logic circuit for the DBS S-box. It 
breaks down the truth table of each Boolean function into 16 functions of two variables and 
then uses the remaining four “free” variables to choose between those 16 functions. Using 
this algorithm. Biham generates logic circuit representations of the DBS S-box that require 
100 gates on average. 

It is important to note that, although a logic circuit with fewer gates is often faster, this is 
not always the case. Which circuit is faster in practice depends on the technology on which 
it is implemented. In the case of hardware implementations in ASICs and BPGAs, latency 
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is normally of great concern. That means, the signal paths to different inputs of the same 
gate must have approximately the same delay. Too large a delay will necessitate a lower 
clock frequency and thus a lower speed. 

Software implementations are typically limited by the available number of processor reg¬ 
isters. This limits the number of gate outputs that are active in parallel. If the number of 
active outputs is higher than the number of available registers, memory must be used for 
storing the surplus output variables. This comes with a significant performance cost. Logic 
circuit representations used for generating algebraic systems as input to SAT solvers have 
similar problems. In that case, some Boolean gates result in CNF representations that are 
much easier for the SAT solvers to handle than others. 


5.2 Kwan’s Algorithm 

In [39], Kwan presents an improvement to Biham’s method from [19]. It works by suc¬ 
cessively adding new gates to a circuit through recursive search while trying all possible 
orderings of input and output bits. In this case, with eight input and eight output bits, it 
requires testing 8! • 8! combinations. 

The recursive algorithm described in [39] takes an existing partial gate circuit as input 
together with a target truth table, a “don’t care” mask, and a list of input bits already used. 
It returns a gate in the circuit whose truth table is identical to the target, except for the bit 
positions where the don’t care mask is zero. Initially, the gate circuit will only consist of 
the eight input bits. 

Each invocation of the algorithm can be split up into five successively more complex 
steps [39]: 

1. Check if there already is a gate in the logic circuit with the required output truth table. 
If so, return that gate. 

2. Check if there is a gate with a truth table that is the logic NOT of the required output 
truth table. If so, add a NOT gate to the logic circuit and return it. 

3. Try all combinations of two gates using AND, OR, XOR, NOT, and ANDNOT gates 
and check if the resulting output is equal to the target truth table. If so, add the gates 
and return the output gate. 


68 



4. Try all combinations of three gates using AND, OR, XOR, NOT, and ANDNOT 
gates. If one of the eombinations results in the required output table, add the gates to 
the eireuit and return the output gate. 

5. Split the truth table on one of the unused input bits by setting the eorresponding bits 
in the don’t eare mask to zero. Then eall the algorithm twiee reeursively: onee with a 
don’t eare mask eorresponding to the input bit equal to one and onee with a don’t eare 
mask eorresponding to the input bit equal to zero. Combine the output from the two 
ealls with a two gate multiplexer. Perform this onee for eaeh of the remaining unused 
input bits and with two different multiplexers. Return the eombination of input bit 
and multiplexer that results in the logie eireuit with the fewest gates. 

The implementation details of Kwan’s algorithm are somewhat eomplex and the reader is 
referred to [39] for a eomplete deseription. 

The eomplexity of the algorithm inereases for eaeh of the five steps. The first and seeond 
steps have eomplexity 0{n), where n is the number of gates in the partial eireuit. In 
step three, this inereases to 0{n^), sinee all possible eombinations of two gates must be 
eonsidered. For the same reason, the eomplexity of step four is O(n^). The most significant 
complexity is in step five: Due to the reeursion in eombination with the testing of all possible 
input bits, this results in a eomplexity of 0(bl), where b is the number of unused input bits. 
Even though the value of b\ is manageable in the ease of the SoDark S-box, where b < S, 
the big O notation hides the high complexity of eaeh individual reeursive eall, whieh ean 
inelude a eomplexity of 0{n^) in addition to the 0{b\) term. 

Finding the most efheient logie eireuit for all eight output funetions requires testing all 8! 
orders of building those eight output funetions. The result is a total eomplexity of Kwan’s 
algorithm of 0{bl ■ b\), where b is the number of S-box input and output bits. 


5.3 Improvements to Kwan’s Algorithm 

An anonymous software projeet for building three-bit LUT eireuit representations of S- 
boxes is available as a GitHub repository [40]. It eontains several improvements to Kwan’s 
algorithm. 
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Apart from the generation of LUT-based logic circuits, the two major improvements to 
Kwan’s algorithm introduced in [40] are circuit randomization and a fast feasibility checking 
algorithm. 

The algorithm described by Kwan is deterministic and will always produce the same output 
given the same input. Due to the heuristic nature of the algorithm, there is no guarantee 
that this is the optimal result. By introducing randomization of the search order when 
searching for combinations of gates in steps one through four in the previous section, we 
can find equivalent—and possibly better—gate circuits simply by running the algorithm 
several times. 

The fast feasibility checking algorithm described in Algorithm 5.1 significantly improves 
the speed of Kwan’s algorithm by short-circuiting parts of step four in the previous section. 
It does this by performing a constant-time feasibility check for each combination of three 
gates before testing a large number of possible ways to combine them. The feasibility check 
itself is due to an interesting observation: Three gates with arbitrary truth tables can be 
combined to form an arbitrary target truth table if and only if the target truth table can be 
expressed as a product-of-sums expansion of the three input truth tables [41]. The feasibility 
checking algorithm can be extended and applied to an arbitrary number of input gates in a 
straightforward way. 

When generating LUT-based circuits, additional steps are added between steps four and five 
in Kwan’s algorithm. These steps search for combinations of three, five, and seven gates 
together with one, two, and three LUTs, respectively, to create the desired output truth table. 
Considering the large complexities involved in searching through all possible combinations 
of five and seven gates in the partial circuit, this would not be possible without the speed 
increase provided by the fast feasibility checking algorithm, especially considering that 
there are 256 possible functions for each LUT. 
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Algorithm 5.1 Check if a target truth table can be produced by combining three input truth 
tables using any combination of gates. Adapted from [40]. 

1; procedure Check3Possible( target, mask, table 1, table2, tableS) 

2: match 0 

3: 0 <— NOT table 1 

4; i 

5; for / < 2 do 

6: t 2 <— NOT table2 

7: k^O 

8: for k < 2 do 

9; t 3 NOT tables 

10 ; m <— 0 

11: for m < 2 do 

12: r <— AND t 2 AND 

13: if (target AND r AND mask) = (r AND mask) then 

14; match match OR r 

15: else if (target AND r AND mask) 4^ 0 then 

16: return false 

17: end if 

18; t3 NOT t3 

19; m m + 1 

20; end for 

21: t2^NOTt2 

22: k k + 1 

23: end for 

24: t\ <- NOT t\ 

25; /<—/+! 

26: end for 

27: if (target AND mask) = (match AND mask) then 

28: return true 

29: else 

30: return false 

31: end if 

32: end procedure 
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5.4 Software Implementation 

For this research, Kwan’s algorithm from [39], along with the optimizations and modifi¬ 
cations from [40], was implemented in the C programming language [42]. The resulting 
program can find logic circuit representations of the SoDark S-box that are suitable for 
various types of implementations on different platforms. This includes representations that 
use only the standard AND, OR, NOT, and XOR gates as well as an option that also allows 
for ANDNOT gates. Circuits can be built for a single output bit each, or for any combination 
of output bits. 

In addition to using the number of gates as a metric when building the circuits, a metric that 
promotes circuits with efficient CNF representations is also available. The latter is intended 
for generating S-box circuit representations that have high performance when used with 
SAT solvers. It uses the number of three-variable minterms in the CNF representation of 
the logic circuit as a measure of the circuit’s SAT performance. 

Circuits of 3-bit LUTs can also be generated. This allows fast bitslicing implementations on 
Nvidia platforms that implement the lop3 . b32 Parallel Thread Execution (PTX) instruc¬ 
tion, as described in Chapter 7. The logic circuits generated by the program can be output 
as C or CUDA source code as well as in the Graphwiz [43] DOT format for visualization. 

5.5 Generated Circuits 

The program described in the previous section was used to generate circuits for the S-box 
that are suitable for implementations on general purpose computers, CUDA GPUs, and for 
conversion to CNF for use with SAT solvers. Despite the optimizations made, and the use 
of 1024 processor cores on the Hamming high-performance computer cluster, creating a 
combined logic circuit for all eight Boolean functions using LUTs proved to be too large a 
problem. Instead, eight separate circuits were created. Figures 5.1 and 5.2 show examples 
of the generated circuits. 
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Figure 5.1. Logic circuit representation, with 60 gates, of the Boolean func¬ 
tion for output bit 6 of the SoDark S-box. 







CHAPTER 6: 
SAT-Based Attacks 


The SAT problem is a fundamental problem of computer science. The description of the 
problem is simple: Given a Boolean formula, is there an assignment to its variables for 
which the formula evaluates to true? If such an assignment exists, the formula is said to be 
satisfiable. SAT problems are normally stated in CNF form. If the problem can be stated in 
a form where none of the minterms in its CNF expression contains more than two variables, 
it is said to be a 2-CNF SAT problem. Solutions for 2-CNF SAT problems can be found in 
polynomial time. 

The definition of the 3-CNF SAT problem is analogous to the 2-CNF SAT definition and 
it has been proven that all SAT problems of higher order are reducible to an equivalent 
3-CNF SAT problem. Furthermore, the 3-CNF SAT problem is proven NP-complete and is 
among the most studied NP problems [44]. The worst-case performance of the 3-CNF SAT 
is the same as for other MQ problems: (9(2“”), 0 < a < 1. With modern SAT-solvers, 
a > 0.386 for satisfiable 3-CNF SAT problems. Problems encountered in practice can 
often be solved even faster than this [15]. 

SAT solvers are computer programs specifically developed for solving SAT problems. 
Modern SAT solvers can solve hard problems involving thousands of variables occurring 
in a wide range of applications. In contrast, naive brute force methods can handle only a 
few tens of variables. The construction of SAT solving algorithms is still an active research 
problem in academia and many different heuristics are used. For that reason, this research’s 
focus has been on creating efficient CNF representations while treating the SAT solvers as 
black boxes. 

The problem of recovering the key from a cipher can be converted into a SAT problem 
by expressing the entire cipher in CNF. The logic circuit representations of the SoDark 
S-box created in Chapter 5 can be converted into CNF by using the Tseytin transform [45] 
whereby the gates in the circuit are converted to equivalent CNF representations. Table 6.1 
shows CNF representations of the gates used in Chapter 5. 
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Table 6.1. Tseytin transformations for some logic gates. Adapted from [45]. 


Eogic gate 

Operation 

Conjunctive normal form 

NOT 

C = A 

(A V C) A (A V C) 

AND 

C = AB 

(A V 5 V C) A (A V C) A (5 V C) 

OR 

C = A + B 

(A V 5 V C) A (A V C) A (5 V C) 

XOR 

C = A® B 

(A V 5 V C) A (A V 5 V C) A (A V 5 V C) A (A V 5 V C) 

ANDNOT 

C = AB 

(A V 5 V C) A (A V C) A (5 V C) 


A C program that constructs a problem for input to a SAT solver was created [38]. It 
takes three plaintext-ciphertext-tweak tuples as input and converts them to their respective 
implied CNF representations in the DIMACS format commonly used by SAT solvers. 
Except for the S-boxes, the cipher consists entirely of XOR operations. This makes the 
conversion process fairly simple. It consists of converting Equations 3.1, 3.2, and 3.3 for 
each round into CNE using the logic circuit representation from Chapter 5 and the Tseytin 
transformations of the operations from Table 6.1. The 56 variables representing the key bits 
are shared among the parallel cipher representations. The 64 tweak bits can be completely 
removed from the CNE representation by observing that the XOR addition of a known bit 
is equivalent to the NOT operation if the bit is one and to doing nothing if the bit is zero. 

If the plaintext-ciphertext-tweak tuples are correct, the constructed SAT problem will be 
satisfiable. Due to the small block size, three tuples are needed to imply a single key in the 
case of SoDark-3. 

Table 6.2 shows statistics of the CNE representations for various numbers of rounds. The 
representations of the test vectors from [5] were tested with three different SAT solvers: 
CryptoMiniSat [28], Plingeling, and Treengeling [29]. All three are state-of-the- 
art parallel solvers that have performed well in the International SAT Competitions [46]. 
Plingeling and Treengeling are part of the Eingeling family of SAT solvers, while 
CryptoMiniSat is a fork of MiniSat [47] optimized for solving cryptological problems. 
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Table 6.2. CNF representation statistics. 


Rounds 

Clauses 

Variables 

2 

3864 

12438 

3 

7479 

24252 

4 

11094 

36066 

5 

14709 

47880 


Plingeling and Treengeling were successful in solving the SAT problems and recovering 
the key for up to four rounds while CryptoMiniSat only managed to solve the two- and 
three-round SAT problems. For five-round problems, none of the solvers could find solutions 
even after more than two weeks of search. Solution times for each of the solvers are plotted 
in Figure 6.1. 
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Figure 6.1. Performance of SAT solver attacks. 
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CHAPTER 7: 
Brute Force Attacks 


7.1 Introduction 

As said in Chapter 2, all ciphers can be broken by brute force. For that reason, the size 
of the key space must be large enough to prevent exhaustive key search. With their small 
key lengths of 56 bits, all SoDark variants can be assumed to be vulnerable to brute force 
attacks in practice, see Table 2.3. For that reason, and to measure the actual upper bound 
of security for the algorithm, a brute force attack was mounted. 

An efficient brute force attack necessitates a fast implementation of the cipher. Section 2.4.1 
discusses some different approaches to fast exhaustive key search. From the investigations 
so far, nothing has been uncovered that would prevent ASIC attacks from being successful 
with speeds in the same order as the EFF’s ASIC-based computer on DES. Time and 
resource limitations prohibit such an attempt in this case and restrict attempts to commonly 
available computer hardware. 

7.2 The CUDA Framework 

The Nvidia CUDA parallel computing framework was chosen for the brute force imple¬ 
mentation. It is a GPGPU framework primarily designed for use with Nvidia’s various 
GPU products and provides a C-like programming language for writing programs that run 
on them. A feature of recent generations of Nvidia GPUs that make them particularly 
suitable for brute force key search is the lop3 .b32 PTX instruction. PTX is the interme¬ 
diate assembly-like language used by the CUDA framework and its lop3 . b32 instruction 
performs a bitwise 3-bit table lookup [48]. This single-instruction bitwise lookup enables 
the creation of bitslicing implementations that are faster compared to implementations that 
use only standard bitwise logic instructions. 

The execution of GPGPU programs differs significantly from the execution of programs 
on normal CPUs. GPUs can have thousands of cores and are therefore able to execute 
thousands of concurrent threads. Unlike CPU cores, the GPU cores execute in lockstep. 
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While this is one of the reasons behind the speeds provided by GPGPU computing, it also 
causes severe performance penalties for branching instructions. Fast GPGPU programs 
therefore limit, or preferably eliminate, branch instructions. Performing operations on the 
processor and GPU in parallel with copying data between computer and GPU memory also 
improves performance by reducing latency [49]. 

7.3 Brute Force Bitslicing Implementation 

A CUDA bitslicing implementation of SoDark was developed for this thesis [38] using all 
methods described in the previous section to achieve close to optimal performance. It takes 
two or three plaintext-ciphertext-tweak tuples as input and outputs all matching keys. It 
supports using several CUDA devices and launches three parallel CPU threads per GPU 
device in order to minimize latency. 

The key space is divided into 7}^ subsets of 7?'^ keys each. All keys in each set of 2^^ keys 
share the same three most significant key bytes. This means that the first round, which 
uses only those key bytes, can be calculated once for all keys in the set. In the case of the 
Lattice eight-round version, the same applies to the last round, see Table 3.2. This reduces 
the number of rounds that the bitslicing part of the implementation has to perform from 
eight to six. Importantly, only five rounds of S-box operations have to be performed. 

With the guessed states after the first and before the last round having been computed on the 
CPU, the rest of the key bytes are tested on the GPU using a carefully optimized branch-free 
bitslicing CUDA implementation of rounds two through six. Since the platform register 
size is 32 bits, each kernel iteration tests 32 keys in parallel. Instead of executing branch 
instructions on the GPU to test for expected output, the comparison is done using bitwise 
logic instructions and the result copied to GPU memory. After each kernel is finished 
executing for a certain subset of 7?'^ keys, the results are copied from GPU to computer 
memory while another kernel executes for the next subset of keys. 

After copying the results to main memory, the CPU checks for keys that matched the first 
plaintext-ciphertext-tweak tuple. Matches are verified against the second and third tuples 
using a CPU SoDark implementation. Keys that satisfy all three tuples are output as 
candidates. 
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7.4 Attack in Practice 

An exhaustive key search for all possible keys satisfying the first two plaintext-ciphertext- 
tweak tuples from the test vectors in [5] was performed using the implementation described 
in the previous section. The computer used had three Nvidia GeForce GTX 1070 GPUs. 
The entire key space took 14 days to search through. All keys matching the two tuples 
are presented in Table 7.1. This effectively proves that an exhaustive key search has been 
successfully performed. 

7.5 Ciphertext-Only Attack 

The known-plaintext brute force attacks on the 2G and 3G ALE linking protection ciphers 
can be extended to ciphertext-only attacks. This is made possible by the stereotypical nature 
of ALE linking operations and PDU format. In many cases, parts of the plaintexts can be 
accurately guessed only by observing encrypted message traffic. Eor a normal 2G ALE link 
establishment call as described in Section 2.3, the three bit preamble of each plaintext will 
be known. Additionally, it is known that the addresses in the first two PDUs will be identical. 
In total, this equals about 30 bits of known information that can be used in a brute force 
attack. More collected ciphertext-tweak pairs will be needed than for the corresponding 
known-plaintext attack, in order to reduce the set of candidate keys to a manageable number. 

Ciphertext-only attacks become easier with 3G ALE PDUs. This is due to the fact that 
only 24 bits of the 26-bit PDUs are encrypted. The two unencrypted bits, together with 
observations on the encrypted traffic, give information about the structure of the plaintext 
allowing bits to be guessed. Eurthermore, the inclusion of a CRC value in the plaintext 
allows for easy validity checking of plaintexts during the attack. 
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Table 7.1. All 218 keys that satisfy the first two Lattice test 
vectors ([54E0CD, CQD705, 543BD88000017550] and [54E0CD, 708434, 
543BD880400175 50]), obtained through exhaustive search. 


ceac62ee56d694 


Q0b07Q38aec462 

Q14Qe8£5915b5e 

Q15975ce6b7331 

Ql£ec4c977dbla 

Q54e2802£89744 

Q57ce95bb£QbaQ 

Q673dcd87£4713 

Q6£74260£l£b28 

0736£c708a£c£b 

093£191£d0c370 

09b97c5da4480e 

0al50dcde7a946 

0b21be27bb3a£5 

0b34£b£6ae7656 

0baa2008be£d33 

0d3b69201c3a6a 

0d8d8a7caa£04d 

0d£3956499£d9d 

0£lec077dd9bd6 

0£83ac243b6£48 

0£84c9ecce9b52 

Ild421ea82165d 

12e272992bl3e£ 

1480b2£d91abl6 

14935eba42dd80 

160£c808e98a89 

172b£130e2blaa 

18e2d0ce88e921 

Ia2eac9al915£7 

Ia734e£c2cd7c4 

Ic80b0e0468236 

Icc269c99£364a 

Ieac88355d276c 

I£5b56da£7c390 

I£e48727721d6e 

21a££020b0970e 

22319c966de£7b 

26375adab9bb06 

297e454a67b337 

2aaa8e2b763284 

2d25a5e0825a0a 

2dde587c£0e579 

2ea922659549b7 

2£a253646985ae 


3069d03b5e6bdl 
309e68761e9dd7 
328e55e£58b38£ 
330a6144e0£90a 
34e7ee30476031 
36ed58e321£6£5 
37e02d9cdbl7c4 
381c££4ee924a9 
3b£99£5d£6d293 
3c97254421a£02 
3cd3£0019caa90 
41d252725166d7 
4260a04c£6cd2e 
42d7abbb7dc6c3 
43130e6780ebd£ 
43231e£abca62b 
43£d£165c2ba8a 
44463166ed6£0d 
44cb£7563ea50£ 
44cdc9cd84837b 
457bd494d7£982 
4763aca9e£0eaa 
49eb4a3a0d8e£e 
4a4ela99da0bb6 
4d31490675£a0d 
4e42de4d£4e043 
4£2£82502c6e£2 
5069e3bab80432 
51a82254021c3£ 
52ea£a£530e9b0 
53e62ea0282£e9 
545dl5797d2949 
55£76c00a23£7d 
56£1093816d005 
5773398aa£380a 
590731e28cdl61 
5b394bd050a895 
5c21£59d23ec58 
5c54214862£lb8 
5c984850a£5937 
5d9776266777dl 
5££16d38bdc8£b 
615983d3£a3dc0 
619£526eeb6b5d 


636ba0£5daa068 

63775£3100a06b 

639575c7a443b7 

6509bbd7024c00 

66eb40e2733b91 

674124a9bbc4ad 

679£47c6dl7629 

6970£4b6091186 

6b5c659d868047 

6b751774cdcae0 

6d37£4£lcccb67 

6d5£d40e35£a7b 

6ea860546£6ab3 

6££389ec21£5a9 

7080882885bbel 

7112618dc6db8a 

71c8bb8££c20d2 

724c0d46b55d70 

7310al£76669c8 

73d£341b32£237 

73e£e6c86b7bd£ 

73£dcb5a227163 

77455402£69746 

79015483c£e3£3 

7b55c8b£d6b858 

7b£e33a5ba521e 

7d3599el56£52d 

7e4dc45bcc£57d 

7e55559c8ba98£ 

7ed4507£d839c8 

82413525e542£4 

853d879087££0b 

8566527368ebc7 

86be2141366558 

876dcb£8367082 

894b2ec0£7c881 

8d060177eaa07d 

8e3ab8da6862ee 

8£880c8719801£ 

9025£47e£b9ee7 

903803b6025871 

907037037094e6 

9251cab8ab5ba3 

93eea84cd8aa£2 


95d6b£32317e41 

97ac52e6b£a80d 

97c24d£174a0ae 

9821193e93d9a6 

985ed4cal472dc 

987e053a3b0878 

9a5£eal2c494ce 

9a£042a22bcc6d 

9cd6cb701c6e5d 

9dee63£1597bc0 

9e09ec9644£69£ 

9e327157d939c4 

9£202cl2809cc5 

9£ddl72904cb6b 

a256cae£0a97a9 

a38b32d6025dab 

a50411d787d7d2 

a563907e£6b053 

a6b4£e3d432e61 

a903a2bele5££3 

aaad65d424e4b7 

aellallcd353d7 

ael391092ec654 

ae5b64ae8£9272 

b00bc84£7637a3 

b0be6612d34c44 

bl0£1184b0ba4a 

bllbla£a058£2c 

b3d46d242cl0£b 

b6ab25108eec73 

bc5£b2c66ee64£ 

bc61e02a245bl2 

bc7d8d40512387 

bded£33da8cce7 

c2284alce7be2£ 

c24£3751b51£64 

c32497bb9£05b4 

c4e94b7424£87£ 

c5e056176b8aca 

c7516de248ebaa 

C77d5e39c9£e01 

C92384b5a33d51 

caa£532c9028ac 

cd£7527ced93c9 


c£013ed902£61£ 

d28b7ee995bc99 

d46cd2d8£55eed 

d513cc98aa5302 

d6al£169£258a2 

d6a54180d05b£9 

d6db6c4£39cl64 

d6££7b2ecac95e 

d7b5481ec6da24 

d7£c96b6£571c5 

d8ce546516e0ac 

d9e49aa6d£ce69 

daabe8d££e568b 

db£0e44ac9666a 

dc474d99989616 

dd21££4906e££0 

eledb57d6bblce 

e22d507a6da9e3 

e23a9e59b81el7 

e28el0822e4d7a 

e59eba9300481£ 

e68e20381d0286 

e7204957893dc7 

e856d002elb97c 

e946715362£ld7 

eaa2198c885£eb 

eab311d7b5613c 

ee08bl5b35e8cb 

£0bc6dl8038540 

£15b£dl2e901b5 

£488££76£d81cd 

£51665cleacc5e 

£6c5ac930albad 

£7ae£7£9d5ele2 

£971££a5233a36 

£9a612a8d08ba9 

£a28£3c61cb0a9 

£adllel2d£9039 

£bdcc02bed9524 

£clc6588c7£eel 

£c3a839ddce9a6 
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CHAPTER 8: 
Conclusion 


8.1 Summary of Attacks 

Table 8.1 summarizes the attacks on SoD ark-3 presented in this thesis. For five rounds 
and fewer, key recovery attacks are possible, given two arbitrary plaintext-ciphertext-tweak 
tuples. The attacks have time complexities that are significantly lower than for exhaustive 
key search. Additionally, key recovery using SAT solvers is possible for four and fewer 
rounds. 


Table 8.1. Summary of attacks on SoDark-3. Time complexities are 
weighted to be proportional to the brute force complexity of 2^^ for the 
same number of rounds (see Section 4.1). 


Section 

Type 

Rounds 

Time 

Data 

Memory 

4.3 

Known-plaintext structural 

2 

2 '^ 

2 


4.4 

Known-plaintext structural 

3 

216 

2 

- 

4.5 

Known-plaintext structural 

4 

232.9 

2 

217.6 

4.6 

Known-plaintext structural 

5 

249 

2 

2 ^ 

4.7 

Chosen-tweak structural 

6 

246.1 

212.7 

- 

4.7 

Chosen-tweak structural 

7 

246.1 

212.7 

- 

4.8 

Chosen-tweak structural 

8 

245.1 

212.7 

- 

6 

Known-plaintext SAT-based 

< 4 

Low 

3 

Low 

7.4 

Known-plaintext brute force 

★ 

255 

2 

- 

7.5 

Ciphertext-only brute force 

★ 

255 

> 2 

- 


Attacks on six, seven, and eight rounds also exist with low time complexities. Their data 
complexities are manageable, but the requirements on relationships between tweaks make 
the attack hard to implement by a passive attacker. Referring back to Section 4.7, the 
attack requires all bytes in the tweaks in a parr of plaintext-ciphertext-tweak tuples to be 
identical, except for the fifth tweak byte. Considering the description of the ALE protocol 
in Section 2.3, this may indeed be possible to arrange for an attacker that, for example, has 
come in possession of a keyed ALE radio. 
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It should be noted that, if tweaks are generated in accordance with the specifications in [4], 
the fifth byte contains the word number, see Table 2.2. It will be the only byte that changes 
between PDUs in a single linking transmission. There is therefore a small chance that the 
output differentials required for the six-, seven-, and eight-round attacks will occur during 
normal operation. For ALE networks that use AL-I, this probability will be higher than for 
networks using AL-2, due to the longer PI. 


In a normal three-PDU linking transmission, the PDUs form three different plaintext- 
ciphertext-tweak tuple-pairs, all with the required input differential. From Equation 4.80, 
the required number of intercepted linking transmissions required to find the correct output 
differential with 50% probability is therefore 


11,629,080 

3 


3,876,360. 


( 8 . 1 ) 


To put the number in perspective, it is equivalent to intercepting a linking transmission every 
eight seconds for a year. This is obviously not a realistic setting, except for possibly in some 
very high intensity military operations. It should be considered, however, that given the high 
proliferation of AEE technology and considering all messages by all users worldwide, there 
is certainly a non-negligible probability of the output differential appearing somewhere 
within some sufficiently large time interval. 


The demonstrated feasibility of brute force attacks on the SoDark ciphers, regardless of the 
number of rounds, shows that the level of protection provided by AEE linking protection 
is not sufficient. This is in agreement with the key length recommendations presented in 
Chapter 2. 


8.2 Discussion 

“Anyone, from the most clueless amateur to the best cryptographer, can create 
an algorithm that he himself can’t break. It’s not even hard. What is hard is 
creating an algorithm that no one else can break, even after years of analysis. ’’ 

— Bruce Schneier [50] 
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A fundamental maxim in cryptography is that one should not use proprietary or “home¬ 
made” cipher algorithms in any setting that requires real security. The pitfalls in cipher 
construction are many and even world-leading experts have failed in such efforts. The 
accepted best practice is to use well-known algorithms that have been developed and vetted 
thoroughly [51]. AES is probably the best known example of a cipher that satisfies these 
requirements. For that reason, it should come as no surprise that it is the world’s most used 
cipher algorithm. 

With this in mind, the decision by the creators of the ALE standards to design their own 
cipher algorithm is unfortunate. At the time 2G ALE was standardized, DBS—though also 
a 56-bit cipher—was well known and used. Together with a suitable block cipher mode of 
operation, it would have been a good candidate in lieu of Lattice/SoDark. In any case, 
with developments during the 1990s in both cryptanalysis and demonstrated exhaustive key 
searches performed by, among others, the EFF and Distributed.net, a replacement of the 
56-bit linking protection algorithm should have been considered at the time. 

The use of a tweak in SoDark to thwart replay attacks, which was novel for the time, should 
be noted. Not only does it fulfill the requirements of channel- and time-variation well, 
it also effectively prevents the construction of TMTO attacks to which other ciphers with 
weak structure and short key lengths are susceptible. While many design decisions made 
in the construction of the ALE linking protection ciphers can be criticized, the design and 
inclusion of a tweak is certainly not one of those. 

The weaknesses presented in the SoDark cipher family and their impact on the ALE system 
as a whole is a good example of how design flaws in subsystems affect the design goals 
of the larger system. In this case, the design goals regarding confidentiality, integrity, 
and availability in the ALE system hinge completely on the cryptographic strength of the 
SoDark algorithm. 

An attacker with knowledge of an ALE linking protection key can attack an ALE HE 
radio system in a number of ways: First, the attacker can compromise confidentiality by 
recovering encrypted plaintexts. This will include identities of senders and receivers as well 
as any orderwire trafhc transmitted using the ALE protocol. 
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Second, the adversary can compromise the integrity of the network by injecting arbitrary 
ALE PDUs. This can be leveraged to establish links and inject higher level protocol traffic. 
The ability to inject PDUs can also be used to geographically locate other stations, by 
causing them to automatically transmit responses to received linking requests. 

Third, availability attacks are possible through PDU injection. For example, by saturating 
an ALE network with link establishment calls, an adversary can tie up all radio stations in 
the network with fake traffic, preventing the transmission of real traffic. 

The synchronous nature of 3G ALE makes it vulnerable to more attacks by an adversary 
with knowledge of the linking protection key. For example, by transmitting faked replies 
to time synchronization requests, the adversary can force radios out of the network by 
providing deliberately inaccurate time synchronization responses. 

It is also worth emphasizing that ALE linking protection, whether the cipher is secure or not, 
only protects the linking process itself. After the link has been established, it is handed off 
for use by higher level protocols. If those protocols do not include protection mechanisms 
of their own, attacks on established links are possible without knowledge of the linking 
protection key through the use of normal electronic warfare traffic injection methods. 

8.3 Recommendations 

The ciphers in the SoDark family should not be used. 

For short-term mitigation, ALE linking protection users should change keys at least on a 
daily basis, regardless of their threat model. If the threat model includes adversaries that 
have access to the resources of medium or large organizations, keys should be assumed to 
be recovered within, at most, hours from interception of traffic. Appropriate changes in 
operating procedures should be made to ensure protection of confidentiality, integrity, and 
availability in the system. 

For long-term mitigation, the solution is to implement secure replacements for the SoDark 
ciphers. Users that have access to AL-3 and AL-4 linking protection ciphers can use those. 
For users that do not, a suggested replacement for SoDark is outlined in the next section. 


86 



8.4 A Suggested Replacement for SoDark 

According to [52], the ALE designers are aware of the questionable seeurity of the SoDark 
family. For that reason, they are eonsidering a replaeement eipher for fourth-generation (4G) 
ALE. Unfortunately, a purpose-made eipher. Halfloop, is onee again a eandidate, both to 
replaee 24- and 48-bit SoDark in 4G ALE as well as in a 96-bit version for eneryption of 
the 96-bit PDUs introdueed in that standard. 

A better option would be to use eneryption based on best praetiee methods to replaee 
SoDark in 2G and 3G ALE and for linking proteetion in 4G ALE. 

AES is by far the most used and most trusted eipher algorithm today. It was ereated and 
standardized through an open and rigorous proeess. Additionally, it is the first, and so 
far only, publiely developed eipher approved by the NS A for proteetion of U.S. elassified 
information. 

With a bloek size of 128 bits, AES eannot be applied as a drop in replaeement. However, 
using bloek eiphers direetly is unusual in applieations. This is the purpose of bloek eipher 
modes of operation. A mode of operation that preserves the format of the enerypted PDUs 
as well as satisfies the other requirements on linking proteetion is the Thorp shuffle [53]. It 
stands on a sound mathematieal foundation and is baeked by solid reasoning eoneerning its 
seeurity. It is well suited for format preserving eneryption of the small bloeks used in the 
ALE standards. 

The Thorp shuffle is a maximally unbalaneed Feistel network that enerypts a single bit per 
round, so the number of rounds is equal to the bloek size. Figure 8.1 illustrates one round of 
the Thorp shuffle. Here, AES is suggested as around funetion. The authors of [53] present 
a method to avoid ealling the round funetion in every round that they dub the 5x trick. Using 
this method, the funetion only needs to be ealled [y ] = 5 times in the 24-bit ease, [y ] = 10 
times in the 48-bit ease, and [y] = 20 times in the 96-bit ease. The number of passes of 
the Thorp shuffle required for proper seeurity is investigated in [53]. 

Sinee n - I bits of input to the AES round funetion are used, where n is the bloek size, the 
remaining 129 - n bits ean be used to input a tweak. In the ease of n = 96, only 33 bits are 
available for tweak use. A solution to this eould be to use an additional AES eneryption 
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Figure 8.1. One round of the Thorp shufFle with AES as the Feistel round 
function. One bit, b is encrypted into a bit d and concatenated with the 
unaffected bits x. Adapted from [53]. 


operation to compress the 64-bit tweak and add the result to the input in some suitable 
manner. 

One of the reasons the Rijndael algorithm was selected for the AES standard over the 
other candidates was its speed on a variety of platforms, including on small 8-bit embedded 
systems [16]. This, together with the low number of PDUs encrypted in any linking 
operation, should make the speed of the proposed solution acceptable, even on embedded 
hardware in field radios. 


8.5 Ideas for Further Research 

Many lines of effort were abandoned due to time constraints. They may provide further 
insight into the security of the SoDark family of ciphers. 

Structural attacks, like the ones described in Chapter 4 may be possible for more than eight 
rounds. The filtering technique described in Sections 4.7 and 4.8 that enables identifying 
specific differentials many rounds into the cipher with high probability works on any number 
of rounds. 

No structural attacks were attempted on SoDark-6. The methods developed for SoDark-3 
are likely applicable and may yield similar results. 
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Approaches to algebraic cryptanalysis other than the one used in Chapter 6 may prove 
fruitful. For example, SAT solvers based on belief propagation tend to be very fast in 
solving known satisfiable SAT problems. In some cases they are able to solve very large 
problems where other SAT solvers fail [44]. 

The algorithms used to create the logic circuit representations were designed for creating 
circuits that are efficient to implement on modern CPUs. Modification of the algorithms 
so that they can find networks with all 14 non-trivial Boolean functions of two variables 
would likely result in smaller circuits that are easier for SAT solvers to handle. 

An extension of the brute force solver developed in Chapter 7 to handle the ciphertext-only 
attacks described in Section 7.5 would provide an upper bound on the security of the cipher 
in best-case conditions. 
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